Threat actors have been exploiting a critical JetBrains flaw - disclosed and fixed earlier in March - in widespread attacks that have deployed ransomware, backdoors and cryptocurrency miners on compromised systems.
The JetBrains flaw (CVE-2024-27198), an authentication bypass in the web component of the TeamCity continuous integration and continuous deployment (CI/CD) server, can be exploited by unauthenticated attackers for remote code execution. The flaw was initially patched on March 4, along with another bug (CVE-2024-27199), in version 2023.11.4. Shortly after the flaw was disclosed, proof-of-concept exploits were released, and then both security researchers and the U.S. Cybersecurity and Infrastructure Security Agency reported that threat actors were widely targeting the flaw.
Researchers with Trend Micro this week released further details about these exploitation campaigns, saying that they observed threat actors targeting the flaw over the past few weeks in order to perform a variety of malicious operations. Researchers said given the active exploitation, it's essential for organizations to promptly apply the fixes provided by JetBrains.
“The active exploitation of vulnerabilities within TeamCity On-Premises represents a critical threat to organizations relying on this platform for their CI/CD processes,” said Junestherry Dela Cruz and Peter Girnus with Trend Micro in a Tuesday analysis. “Our telemetry has revealed that threat actors are exploiting these vulnerabilities to deploy ransomware, coinminers, and backdoor payloads on compromised TeamCity servers.”
TeamCity, a tool that helps automate the processes for building, testing and deploying software applications, is a “widely used” CI/CD server that is deployed by more than 30,000 customers globally (including on-premises and cloud-hosted servers).
Researchers said in earlier campaigns, threat actors were exploiting the flaw in order to deploy the Jasmin ransomware, an open-source red teaming tool that is intended to help organizations simulate ransomware attacks. In these attacks, the ransomware would rename files and extensions, and drop a ransom note on victims’ systems.
“Upon checking the ransom note’s source code, we discovered that it was obfuscated and used JavaScript to generate the ransom note text, likely to evade detection from security products and ensure that victims will see and read the ransom note file,” said researchers.
In other attacks, threat actors deployed a variant of the open-source XMRig cryptocurrency mining malware, as well as the SparkRAT backdoor, an open-source, Golang-based malware.
“Similar to the cryptocurrency miner installation, the threat actors deploying SparkRAT also used a variety of batch files and LOLBins to perform a multistage attack,” said researchers.
Researchers also saw several attempts in these exploitation efforts to discover network infrastructure, deploy Cobalt Strike beacons and instill persistence on systems with commands that attempted to manipulate various user accounts, groups and permissions.
“The attempt to add a user to the local Administrators group is particularly concerning, since it could grant elevated privileges to attackers and help them establish a foothold in the system that can be used to maintain access over an extended period,” said researchers.