CyberSecurityBoard
Sponsor Register Login

Recent TeamCity Vulnerability Exploited in Ransomware Attacks

A TeamCity vulnerability disclosed recently in controversial circumstances is being exploited in ransomware attacks, according to the product's developer and cybersecurity companies.
On March 4, JetBrains, the developer of the TeamCity build management and continuous integration server, announced fixes for CVE-2024-27198 and CVE-2024-27199, two serious authentication bypass vulnerabilities.
CVE-2024-27198, which has been rated critical, can be exploited by remote, unauthenticated attackers to take complete control of a server by creating a new admin user account or by generating an admin access token.
Rapid7, whose researchers discovered the vulnerabilities, made public details of CVE-2024-27198 and CVE-2024-27199 a few hours after JetBrains announced fixes.
Full disclosure seems to have occurred due to miscommunication between the two companies.
Rapid7 was concerned that JetBrains would try to silently patch the vulnerabilities and the vendor was concerned that Rapid7 would disclose details too quickly.
JetBrains informed customers about patches without notifying Rapid7, which decided to immediately disclose details.
This led to threat actors beginning to target CVE-2024-27198 shortly after disclosure on March 4.
By March 6, LeakIX, a project that scans the web for vulnerable and misconfigured systems, started seeing mass exploitation, with signs of rogue user creation seen in 1,400 instances.
More information has now come to light on what attackers are actually doing.
GuidePoint Security reported on Friday that a ransomware group named BianLian, which has been known to target critical infrastructure, may have exploited CVE-2024-27198 for initial access.
In a lengthy blog post published on Monday, JetBrains said many of its customers managed to install the patches before Rapid7 disclosed details and the attacks started, but many did not.
The company said it received reports from some customers whose servers had been compromised.
Two customers allegedly saw their files being encrypted as part of ransomware attacks.
One customer reported that attackers had hacked its TeamCity server and intended on abusing it for DDoS attacks.
JetBrains blamed Rapid7 for its customers' systems getting hacked, highlighting that other vulnerabilities found previously in its products were not exploited as commonly or quickly as CVE-2024-27198.
Threat actors can reverse engineer a patch to create an exploit even if no information is available about the vulnerability, but JetBrains claims that in this case it took steps to make patch analysis more difficult, which would have given its customers more time to install the fixes before malicious exploitation started.


This Cyber News was published on www.securityweek.com. Publication date: Mon, 11 Mar 2024 16:28:06 +0000


Cyber News related to Recent TeamCity Vulnerability Exploited in Ransomware Attacks

TeamCity Intrusion Saga: APT29 Suspected Among the Attackers Exploiting CVE-2023-42793 - As part of this analysis, we look at threat actor TTPs employed throughout the intrusion and how they were identified and pieced together by the FortiGuard IR team. The following section of this report focuses on the activities of one of these threat ...
6 months ago Feeds.fortinet.com
Hive Ransomware: A Detailed Analysis - This past week, on January 26th, to be exact, the FBI successfully shut down the Hive ransomware group and saved victims over a hundred million dollars in ransom payments and remediation costs. As ransomware continues to be a national security threat ...
1 year ago Heimdalsecurity.com
Sav-Rx data breach impacted over 2.8 million individuals - Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. Nation-state actors exploited two zero-days in ASA and FTD firewalls to breach government networks. Microsoft fixed two zero-day bugs exploited in malware ...
4 weeks ago Securityaffairs.com
TeamCity Software Vulnerability Exploited Globally - Over the past few days a security breach has transpired, hackers are taking advantage of a significant flaw in TeamCity On-Premises software, allowing them to create unauthorised admin accounts. This flaw, known as CVE-2024-27198, has prompted urgent ...
3 months ago Cysecurity.news
North Korean Kimsuky used a new Linux backdoor in recent attacks - Russia-linked APT28 used post-compromise tool GooseEgg to exploit CVE-2022-38028 Windows flaw. Threat actors exploited Palo Alto Pan-OS issue to deploy a Python Backdoor. Microsoft fixed two zero-day bugs exploited in malware attacks. HTTP/2 ...
1 month ago Securityaffairs.com
Echoes of SolarWinds: JetBrains TeamCity servers under attack by Russia-backed hackers - The SolarWinds hackers are infiltrating JetBrains TeamCity servers via a critical vulnerability enabling authorization bypass and arbitrary code execution, government officials warn. Russian Foreign Intelligence Service-backed threat actor CozyBear ...
6 months ago Packetstormsecurity.com
Ransomware's Impact May Include Heart Attacks, Strokes & PTSD - First-order harms: Direct targets of ransomware attacks. The increasing convergence of IT and OT leave physical infrastructures more vulnerable to ransomware, even though most ransomware operators lack the capability to directly compromise OT or ...
4 months ago Techrepublic.com
Ransomware in 2023 recap: 5 key takeaways - This provides the best overall picture of ransomware activity, but the true number of attacks is far higher. While some ransomware trends hardly changed over the last year, such as LockBit's continued dominance, ransomware criminals also challenged ...
4 months ago Malwarebytes.com
JetBrains warns of new TeamCity auth bypass vulnerability - JetBrains urged customers today to patch their TeamCity On-Premises servers against a critical authentication bypass vulnerability that can let attackers take over vulnerable instances with admin privileges. Tracked as CVE-2024-23917, this critical ...
4 months ago Bleepingcomputer.com
The Top 10 Ransomware Groups of 2023 - This article takes an in-depth look at the rise in ransomware attacks over the past year and the criminal groups driving the surge in cyber extortion. LockBit has established itself as one of the most notorious ransomware operations since emerging on ...
5 months ago Securityboulevard.com
Ransomware Roundup - The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This edition of the Ransomware Roundup covers the 8base ransomware. 8base ...
5 months ago Feeds.fortinet.com
Medusa Ransomware Turning Your Files into Stone - Unit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in tactics toward extortion, characterized by the introduction in early 2023 of their dedicated leak site called the Medusa Blog. The Unit 42 ...
5 months ago Unit42.paloaltonetworks.com
The year of Mega Ransomware attacks with unprecedented impact on global organizations - A Staggering 1 in every 10 organizations worldwide hit by attempted Ransomware attacks in 2023, surging 33% from previous year, when 1 in every 13 organisations received ransomware attacks Throughout 2023, organizations around the world have each ...
5 months ago Blog.checkpoint.com
Frameworks, Guidelines & Bounties Alone Won't Defeat Ransomware - COMMENTARY. The US government is ramping up efforts to stem the increasingly disruptive scourge of ransomware attacks. The State Department recently offered up to $15 million for information on LockBit, and $10 million for information on the ...
2 months ago Darkreading.com
Healthcare firm WebTPA data breach impacted 2.5M individuals - Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. CISA adds GitLab flaw to its Known Exploited Vulnerabilities catalog. Nation-state actors exploited two zero-days in ASA and FTD firewalls to breach ...
1 month ago Securityaffairs.com
Ransomware trends and recovery strategies companies should know - Ransomware attacks can have severe consequences, causing financial losses, reputational damage, and operational disruptions. The methods used to deliver ransomware vary, including phishing emails, malicious websites, and exploiting vulnerabilities in ...
6 months ago Helpnetsecurity.com
newsletter Round 473 by Pierluigi Paganini - Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. Microsoft fixed two zero-day bugs exploited in malware attacks. HTTP/2 CONTINUATION Flood technique can be exploited in DoS attacks. BianLian group exploits ...
4 weeks ago Securityaffairs.com
North Korea-linked IT workers infiltrated hundreds of US firms - CISA adds Cisco ASA and FTD and CrushFTP VFS flaws to its Known Exploited Vulnerabilities catalog. Microsoft fixed two zero-day bugs exploited in malware attacks. HTTP/2 CONTINUATION Flood technique can be exploited in DoS attacks. BianLian group ...
1 month ago Securityaffairs.com
BreachForums resurrected after FBI seizure - Russia-linked APT28 used post-compromise tool GooseEgg to exploit CVE-2022-38028 Windows flaw. Microsoft fixed two zero-day bugs exploited in malware attacks. HTTP/2 CONTINUATION Flood technique can be exploited in DoS attacks. BianLian group ...
3 weeks ago Securityaffairs.com
Microsoft: We are tracking these 100 active ransomware gangs using 50 types of malware - More than one hundred different cyber criminal gangs are actively conducting ransomware attacks, deploying over 50 different ransomware families in campaigns which see them encrypt networks and demand a ransom payment for the decryption key. The ...
1 year ago Zdnet.com
Declining Ransomware Payments: Shift in Hacker Tactics? - Several cybersecurity advisories and agencies recommend not caving into ransomware gangs' demands and paying their ransoms. It seems the tide is turning, with a decline in ransomware payments; this article explores the trend and what it might mean ...
4 months ago Securityboulevard.com
Russian APT exploiting JetBrains TeamCity vulnerability - A known JetBrains TeamCity vulnerability is now being exploited by two nation-state threat groups as some organizations have yet to patch the critical flaw. CISA issued a joint government advisory Wednesday to warn users that a Russian advanced ...
6 months ago Techtarget.com
North Korean hackers exploit critical TeamCity flaw to breach networks - Microsoft says that the North Korean Lazarus and Andariel hacking groups are exploiting the CVE-2023-42793 flaw in TeamCity servers to deploy backdoor malware, likely to conduct software supply chain attacks. In September, TeamCity fixed a critical ...
6 months ago Bleepingcomputer.com
Impact of Remote Work and Cloud Migrations on Security Perimeters - Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. Microsoft fixed two zero-day bugs exploited in malware attacks. HTTP/2 CONTINUATION Flood technique can be exploited in DoS attacks. BianLian group exploits ...
4 weeks ago Securityaffairs.com
newsletter Round 474 by Pierluigi Paganini - Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. Microsoft fixed two zero-day bugs exploited in malware attacks. HTTP/2 CONTINUATION Flood technique can be exploited in DoS attacks. Critical Fortinet's ...
3 weeks ago Securityaffairs.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)