Assaults concentrating on two safety vulnerabilities within the TeamCity CI/CD platform have begun in earnest simply days after its developer, JetBrains, disclosed the failings on March 3.
The assaults embrace not less than one marketing campaign to distribute ransomware, and one other wherein a risk actor seems to be creating admin customers on susceptible TeamCity cases for potential future use.
One of many vulnerabilities (recognized as CVE-2024-27198) has a near-maximum severity CVSS score of 9.8 out of 10 and is an authentication bypass subject in TeamCity’s Internet part. Researchers from Rapid7 who found the vulnerability and reported it to JetBrains have described it as enabling a distant unauthenticated attacker to execute arbitrary code to take full management of affected cases.
CVE-2024-27199, the opposite vulnerability that JetBrains disclosed, is a moderate-severity authentication bypass flaw in the identical TeamCity Internet part. It permits for a “restricted quantity” of data disclosure and system modification, in keeping with Rapid7.
TeamCity Builders: A Helpful Goal for Attackers
Some 30,000 organizations use TeamCity to automate construct, testing and deployment processes for software program tasks in CI/CD environments. Like different latest TeamCity flaws — similar to CVE-2024-23917 in February 2024, and CVE-2023-42793, which Russia’s Midnight Blizzard group utilized in assaults final yr (it’s also identified for the notorious SolarWinds provide chain assaults), the 2 new ones have stoked appreciable concern.
The troubles must do with the potential for attackers to abuse the failings to take management of a corporation’s software program builds and tasks to launch mass provide chain assaults.
“Attackers are realizing that instruments like TeamCity for configuration deployment are a simple method to quickly propagate malicious code,” says Greg Fitzgerald, co-founder of Sevco Safety. Many additionally use trusted instruments like TeamCity to allow lateral motion on a mass scale, he says.
Stephen Fewer, principal safety researcher at Rapid7, says that armed with the brand new vulnerabilities, an attacker can use search engines like google like Shodan and FOFA to find uncovered TeamCity servers. One caveat is that there a excessive variety of honeypot servers masquerading as TeamCity servers, so dangerous actors would possibly must do some further work to search out legit cases, he says.
Exploitation after discovery is trivial, Fewer says. “CVE-2024-27198, may be leveraged by way of a single HTTP request,” he says. This enables “an attacker to create a brand new administrator consumer account or entry token on the system, and from there the attacker can leverage this to utterly take over the server, together with distant code execution [RCE] on the goal working system.”
By creating a brand new admin account on a susceptible occasion, an attacker can doubtlessly entry and modify all of the assets that the TeamCity cases manages, together with tasks, construct brokers, and artifacts.
“One other avenue the attacker can make use of is to leverage their entry to run arbitrary instructions on the underlying working system to take full management over the server,” Fewer says. A method to do that is by deploying a malicious TeamCity plug-in that hosts a payload of the attacker’s alternative. An alternative choice is to leverage a REST API for debugging functions that’s out there in some variations of TeamCity to run instructions on the working system. “From right here, the assault could pivot deeper into the goal’s community, or set up persistence on the compromised server to take care of entry,” Fewer says.
Excessive-Severity JetBrains TeamCity Threats
On March 5, the director of CrowdStrike’s risk searching group reported observing a number of cases wherein a risk actor had exploited the 2 flaws to deploy what seemed to be a modified model of Jasmin, an open supply instrument that red-team testers can use to simulate an actual ransomware assault. Its maintainers have described Jasmin as a WannaCry clone.
Individually, LeakIX, a web site that aggregates breach and leak knowledge, reported detecting some 1,711 uncovered TeamCity cases on the Internet, of which 1,442 confirmed indicators of somebody having created rogue consumer accounts on them by way of CVE-2024-27198. “If you happen to have been/are nonetheless operating a susceptible system, assume compromise,” LeakIX famous on X, the platform previously referred to as Twitter.
In the meantime, the nonprofit Web-monitoring web site ShadowServer.org reported observing exploitation exercise for CVE-2024-27198 beginning Mar 4 — a day after JetBrains disclosed the flaw.
“If operating JetBrains TeamCity on-prem — be sure that to patch for up to date CVE-2024-27198 (distant auth bypass) & CVE-2024-27199 vulns NOW!,” Shadowserver warned. The volunteer-based cyber risk intelligence group reported detecting 1,182 cases of TeamCity, a few of which could have a patch in place already. It recognized the highest affected nations because the US with 298 cases, and Germany with 188.