Home Malware & Threats Exploiting TeamCity Vulnerability Results in Increase of Ransomware, Cryptomining, and RAT Incidents

Exploiting TeamCity Vulnerability Results in Increase of Ransomware, Cryptomining, and RAT Incidents

Exploiting TeamCity Vulnerability Results in Increase of Ransomware, Cryptomining, and RAT Incidents

Multiple threat actors have been exploiting the vulnerabilities in JetBrains TeamCity software to deploy various forms of malware such as ransomware, cryptocurrency miners, Cobalt Strike beacons, and a remote access trojan called Spark RAT. The attacks are based on the exploitation of a vulnerability (CVE-2024-27198) that allows attackers to bypass authentication measures and gain administrative control over affected servers. This flaw has been used by threat actors associated with BianLian and Jasmin ransomware families, as well as to drop the XMRig cryptocurrency miner and Spark RAT. Trend Micro, a cybersecurity firm, highlighted that attackers are installing malware that can communicate with a command-and-control server to execute additional commands, including installing ransomware to encrypt files and demand ransom payments from victims.

As organizations continue to rely on TeamCity for their CI/CD processes, it is crucial for them to update their software promptly to protect against potential threats. Ransomware attacks have been on the rise, with new strains like DoNex, Evil Ant, Lighter, RA World, and WinDestroyer surfacing in the wild. Despite law enforcement actions targeting cybercrime crews like LockBit, these groups are still accepting affiliates into their programs. WinDestroyer, in particular, is capable of encrypting files and rendering systems unusable with no means to recover the data, hinting at possible geopolitical motives behind the attacks.

Ransomware crimes are challenging to combat due to the nature of affiliate programs, where actors often work for multiple Ransomware-as-a-Service (RaaS) outfits simultaneously. Efforts to disrupt RaaS operations require persistent and strategic approaches to weaken the regenerative power of these criminal gangs. The FBI’s Internet Crime Complaint Center (IC3) reported 2,825 ransomware infections in 2023, leading to adjusted losses exceeding $59.6 million, with over half of the incidents impacting critical infrastructure organizations.

The ransomware landscape in the U.S. is dominated by variants like LockBit, BlackCat (aka ALPHV or Noberus), Akira, Royal, and Black Basta. Collaboration among different ransomware groups is increasing, with some operations outsourcing skills to one another through ghost groups, as seen with Zeon, LockBit, and Akira. Despite a slight decrease in the number of ransomware attacks reported in the fourth quarter of 2023, ransomware activity remains on the rise, with Symantec noting that attackers are finding new ways to infect victims and evade detection.

Recent statistics from NCC Group indicate a 46% increase in ransomware cases in February 2024 compared to the previous month, with LockBit, Hunters, BlackCat, Qilin, BianLian, Play, and 8Base being the most prominent threats. The emergence of smaller RaaS operators in response to law enforcement actions against larger ransomware groups is making detection and attribution challenging. Additionally, threat actors are utilizing legitimate software and living-off-the-land techniques to infect victims and disable security software.

Sophos researchers pointed out the attractiveness of Bring Your Own Vulnerable Driver (BYOVD) attacks to threat actors, as they allow for disabling antimalware and endpoint detection and response solutions at the kernel level. Utilities like TrueSightKiller, GhostDriver, and Terminator are commonly used in these attacks. With threat actors constantly evolving their tactics and leveraging vulnerabilities in public-facing applications, it is essential for organizations to stay vigilant and update their security measures to safeguard against ransomware attacks.

Follow us on Twitter and LinkedIn for more exclusive content and updates on cybersecurity threats and trends.

Source link


Please enter your comment!
Please enter your name here