Attackers are exploiting JetBrains TeamCity flaw to deliver a variety of malware

Attackers are exploiting the recently patched JetBrains TeamCity auth bypass vulnerability (CVE-2024-27198) to deliver ransomware, cryptominers and remote access trojans (RATs), according to Trend Micro researchers.

exploiting CVE-2024-27198

The CVE-2024-27198 timeline

CVE-2024-27198, an authentication bypass vulnerability affecting the TeamCity server, has been disclosed and fixed in early March, along with CVE-2024-27199 – a directory traversal vulnerability in the same instance.

Several proof-of-concept (PoC) exploits have since been published, and analysts started seeing massive exploitation of CVE-2024-27198 soon after.

The US Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities Catalog (KEV) a few days after the disclosure.

At the time, attackers were already seen dropping Jasmin ransomware, which is an open-source tool that imitates WannaCry and is used by security teams to simulate ransomware attack. It has been allegedly modified by the attackers for malicious purposes.

Leveraging legitimate tools

Trend Micro researchers have outlined various attackers exploiting the flaw and delivering different types of malicious payloads.

Some were seen deploying a variant of the open-source XMRig cryptocurrency-mining malware, others deployed the open-source Golang-based SparkRAT backdoor.

“Similar to the cryptocurrency miner installation, the threat actors deploying SparkRAT also used a variety of batch files and LOLBins to perform a multistage attack,” they said.

Some attackers also deployed Cobalt Strike beacons, to prepare the stage for future activities.

Finally, researchers also noticed multiple attempts at discovering network infrastructure and gaining persistence, aimed at manipulating user accounts, groups, and permissions to access the system.

“The attempt to add a user to the local Administrators group is particularly concerning, since it could grant elevated privileges to attackers and help them establish a foothold in the system that can be used to maintain access over an extended period,” they explained.

The researchers shared indicators of compromise (IoCs) organizations can use to check whether they have been compromised, especially if they haven’t secured their Jet Brains TeamCity instances soon after the patches have been released.

JetBrains has also recently published investigation and remediation guidance for those who weren’t able to secure their servers on time.

Don't miss