April 15, 2024

Assaults focusing on two safety vulnerabilities within the TeamCity CI/CD platform have begun in earnest simply days after its developer, JetBrains, disclosed the issues on March 3.

The assaults embrace at the very least one marketing campaign to distribute ransomware, and one other wherein a risk actor seems to be creating admin customers on weak TeamCity cases for potential future use.

One of many vulnerabilities (recognized as CVE-2024-27198) has a near-maximum severity CVSS ranking of 9.8 out of 10 and is an authentication bypass subject in TeamCity’s Internet part. Researchers from Rapid7 who found the vulnerability and reported it to JetBrains have described it as enabling a remote unauthenticated attacker to execute arbitrary code to take full management of affected cases.

CVE-2024-27199, the opposite vulnerability that JetBrains disclosed, is a moderate-severity authentication bypass flaw in the identical TeamCity Internet part. It permits for a “restricted quantity” of data disclosure and system modification, in accordance with Rapid7.

TeamCity Builders: A Helpful Goal for Attackers

Some 30,000 organizations use TeamCity to automate construct, testing and deployment processes for software program initiatives in CI/CD environments. Like different latest TeamCity flaws — equivalent to CVE-2024-23917 in February 2024, and CVE-2023-42793, which Russia’s Midnight Blizzard group utilized in assaults final yr (it is usually identified for the notorious SolarWinds provide chain assaults), the 2 new ones have stoked appreciable concern.

The concerns must do with the potential for attackers to abuse the issues to take management of a company’s software program builds and initiatives to launch mass provide chain assaults.

“Attackers are realizing that instruments like TeamCity for configuration deployment are a straightforward approach to quickly propagate malicious code,” says Greg Fitzgerald, co-founder of Sevco Safety. Many additionally use trusted instruments like TeamCity to allow lateral motion on a mass scale, he says.

Stephen Fewer, principal safety researcher at Rapid7, says that armed with the brand new vulnerabilities, an attacker can use serps like Shodan and FOFA to find uncovered TeamCity servers. One caveat is that there a excessive variety of honeypot servers masquerading as TeamCity servers, so unhealthy actors may must do some additional work to seek out authentic cases, he says.

Exploitation after discovery is trivial, Fewer says. “CVE-2024-27198, may be leveraged through a single HTTP request,” he says. This enables “an attacker to create a brand new administrator person account or entry token on the system, and from there the attacker can leverage this to utterly take over the server, together with distant code execution [RCE] on the goal working system.”

By creating a brand new admin account on a weak occasion, an attacker can probably entry and modify all of the sources that the TeamCity cases manages, together with initiatives, construct brokers, and artifacts.

“One other avenue the attacker can make use of is to leverage their entry to run arbitrary instructions on the underlying working system to take full management over the server,” Fewer says. A technique to do that is by deploying a malicious TeamCity plug-in that hosts a payload of the attacker’s selection. An alternative choice is to leverage a REST API for debugging functions that’s obtainable in some variations of TeamCity to run instructions on the working system. “From right here, the assault could pivot deeper into the goal’s community, or set up persistence on the compromised server to take care of entry,” Fewer says.

Excessive-Severity JetBrains TeamCity Threats

On March 5, the director of CrowdStrike’s risk searching group reported observing a number of cases wherein a risk actor had exploited the two flaws to deploy what gave the impression to be a modified model of Jasmin, an open supply software that red-team testers can use to simulate an actual ransomware assault. Its maintainers have described Jasmin as a WannaCry clone.

Individually, LeakIX, a web site that aggregates breach and leak information, reported detecting some 1,711 exposed TeamCity instances on the Internet, of which 1,442 confirmed indicators of somebody having created rogue person accounts on them through CVE-2024-27198. “In the event you had been/are nonetheless working a weak system, assume compromise,” LeakIX famous on X, the platform previously often called Twitter.

In the meantime, the nonprofit Web-monitoring web site ShadowServer.org reported observing exploitation activity for CVE-2024-27198 beginning Mar 4 — a day after JetBrains disclosed the flaw.

“If working JetBrains TeamCity on-prem — be sure that to patch for up to date CVE-2024-27198 (distant auth bypass) & CVE-2024-27199 vulns NOW!,” Shadowserver warned. The volunteer-based cyber risk intelligence group reported detecting 1,182 instances of TeamCity, a few of which could have a patch in place already. It recognized the highest affected nations because the US with 298 cases, and Germany with 188.