The cyberthreats to users of JetBrains' TeamCity CI/CD platform continue to mount a week after the company issued two fixes to security vulnerabilities, with one cybersecurity vendor noting a ransomware attack that included exploiting the flaws for initial access and a search engine reporting that 1,442 vulnerable instances showed signs of exploitation.
Those reports followed others that indicated that bad actors began targeting the vulnerabilities a day after the fixes were released March 4 as well as a feud over disclosure policies between JetBrains and researchers at cybersecurity firm Rapid7 who first detected the bugs last month.
It adds up to a messy week for JetBrains and TeamCity users, a continuous integration and continuous development platform that's been around since 2006 and is pitched as software platform used to create a flexible development and collaboration environment.
In February, Rapid7 researchers notified JetBrains of the two flaws, CVE-2024-27198 - carries a CVSS severity score of 9.8 of 10 - and CVE-2024-27199, both of which are authentication bypass vulnerabilities.
Attackers could leverage the first flaw to take control of compromised instances and the second to gather information and modify a system.
Threat groups could use both to take control of software development and launch software supply-chain attacks.
Jasmin is an open source tool used by red teams to simulate real ransomware attacks, but it's also been modified by threat groups to develop variants they can use for their own malicious activities.
The operators of another internet monitoring site, ShadowServer, also noted on X March 5 that they were beginning to see exploitation attempts targeting the TeamCity vulnerabilities, and two days reported that there were 1,182 instances that were possibly still vulnerable, with most in the United States and Germany.
BianLain Extortion Group Jumps In. Most recently, researchers with cybersecurity vendor GuidePoint Security that the operators behind the BianLian ransomware were exploiting the TeamCity vulnerabilities, initially trying to execute their backdoor malware written in the Go programming language.
It was unclear which of the two vulnerabilities the BianLian attackers exploited, they wrote.
After leveraging a vulnerable TeamCity instance to gain initial access, the bad actors were able to create new users in the build server and executed malicious commands that enabled them to move laterally through the network and run post-exploitation activities.
A backdrop to all this was the back-and-forth between JetBrains and Rapid7 about the disclosure of the flaws.
Stephen Fewer, principal security researcher at Rapid7, uncovered the flaws and, according to a timeline from the cybersecurity firm, Rapid7 on February 15 emailed JetBrains about the vulnerabilities and did so again four days later, when JetBrains acknowledges Rapid7's efforts.
On February 20, Rapid7 gives JetBrains a technical analysis of the bugs and JetBrains said they were able to reproduce the issues.
After more emails between the two companies, JetBrains disclosed the patches March 4 without coordinating with Rapid7.
Rapid7 said its policy is to disclose vulnerability details 24 hours after learning that an update was made generally available.
In its own blog post, JetBrains said - per its own policy - that the plan was to release the fixes and a workaround and communicate with customers about the vulnerabilities through emails.
Days later, the company would publish the CVE information and a blog post about the flaws.
The company decided against a coordinated release with Rapid7 once it was determined that the disclosure policies wouldn't mesh and that the security firm would release technical details before JetBrains typically does.
JetBrains put the onus on Rapid7, writing that it recommended that Rapid7 follow its disclosure policy.
This Cyber News was published on securityboulevard.com. Publication date: Mon, 11 Mar 2024 15:43:07 +0000