Assaults concentrating on two safety vulnerabilities within the TeamCity CI/CD platform have begun in earnest simply days after its developer, JetBrains, disclosed the failings on March 3.
The assaults embody not less than one marketing campaign to distribute ransomware, and one other by which a menace actor seems to be creating admin customers on susceptible TeamCity cases for potential future use.
One of many vulnerabilities (recognized as CVE-2024-27198) has a near-maximum severity CVSS score of 9.8 out of 10 and is an authentication bypass challenge in TeamCity’s Net element. Researchers from Rapid7 who found the vulnerability and reported it to JetBrains have described it as enabling a distant unauthenticated attacker to execute arbitrary code to take full management of affected cases.
CVE-2024-27199, the opposite vulnerability that JetBrains disclosed, is a moderate-severity authentication bypass flaw in the identical TeamCity Net element. It permits for a “restricted quantity” of knowledge disclosure and system modification, in response to Rapid7.
TeamCity Builders: A Useful Goal for Attackers
Some 30,000 organizations use TeamCity to automate construct, testing and deployment processes for software program initiatives in CI/CD environments. Like different current TeamCity flaws — reminiscent of CVE-2024-23917 in February 2024, and CVE-2023-42793, which Russia’s Midnight Blizzard group utilized in assaults final 12 months (it’s also identified for the notorious SolarWinds provide chain assaults), the 2 new ones have stoked appreciable concern.
The concerns must do with the potential for attackers to abuse the failings to take management of a company’s software program builds and initiatives to launch mass provide chain assaults.
“Attackers are realizing that instruments like TeamCity for configuration deployment are a simple strategy to quickly propagate malicious code,” says Greg Fitzgerald, co-founder of Sevco Safety. Many additionally use trusted instruments like TeamCity to allow lateral motion on a mass scale, he says.
Stephen Fewer, principal safety researcher at Rapid7, says that armed with the brand new vulnerabilities, an attacker can use engines like google like Shodan and FOFA to find uncovered TeamCity servers. One caveat is that there a excessive variety of honeypot servers masquerading as TeamCity servers, so unhealthy actors would possibly must do some additional work to search out official cases, he says.
Exploitation after discovery is trivial, Fewer says. “CVE-2024-27198, might be leveraged by way of a single HTTP request,” he says. This permits “an attacker to create a brand new administrator consumer account or entry token on the system, and from there the attacker can leverage this to fully take over the server, together with distant code execution [RCE] on the goal working system.”
By creating a brand new admin account on a susceptible occasion, an attacker can probably entry and modify all of the assets that the TeamCity cases manages, together with initiatives, construct brokers, and artifacts.
“One other avenue the attacker can make use of is to leverage their entry to run arbitrary instructions on the underlying working system to take full management over the server,” Fewer says. A technique to do that is by deploying a malicious TeamCity plug-in that hosts a payload of the attacker’s alternative. Another choice is to leverage a REST API for debugging functions that’s obtainable in some variations of TeamCity to run instructions on the working system. “From right here, the assault might pivot deeper into the goal’s community, or set up persistence on the compromised server to take care of entry,” Fewer says.
Excessive-Severity JetBrains TeamCity Threats
On March 5, the director of CrowdStrike’s menace looking group reported observing a number of cases by which a menace actor had exploited the 2 flaws to deploy what gave the impression to be a modified model of Jasmin, an open supply instrument that red-team testers can use to simulate an actual ransomware assault. Its maintainers have described Jasmin as a WannaCry clone.
Individually, LeakIX, a web site that aggregates breach and leak knowledge, reported detecting some 1,711 uncovered TeamCity cases on the Net, of which 1,442 confirmed indicators of somebody having created rogue consumer accounts on them by way of CVE-2024-27198. “If you happen to have been/are nonetheless operating a susceptible system, assume compromise,” LeakIX famous on X, the platform previously often called Twitter.
In the meantime, the nonprofit Web-monitoring web site ShadowServer.org reported observing exploitation exercise for CVE-2024-27198 beginning Mar 4 — a day after JetBrains disclosed the flaw.
“If operating JetBrains TeamCity on-prem — be sure that to patch for contemporary CVE-2024-27198 (distant auth bypass) & CVE-2024-27199 vulns NOW!,” Shadowserver warned. The volunteer-based cyber menace intelligence group reported detecting 1,182 cases of TeamCity, a few of which could have a patch in place already. It recognized the highest affected international locations because the US with 298 cases, and Germany with 188.
