Security researchers have detected emerging exploit attempts that are taking advantage of the latest vulnerabilities in JetBrains’ TeamCity software, with some incidents resulting in the deployment of ransomware.
According to Brody Nisbet, the director of threat hunting operations at CrowdStrike, telemetry data has indicated ongoing attacks that involve the use of a suspected modified version of the Jasmin ransomware. Jasmin, originally an open source red teaming tool designed to simulate ransomware attacks, has been previously altered for malicious purposes, such as the case of the GoodWill ransomware variant in 2022.
The GoodWill ransomware variant deviated from traditional ransomware tactics by demanding victims to perform acts of goodwill, such as donating to charities, instead of requesting monetary payments. Now, security experts are warning of active exploitation of two vulnerabilities in TeamCity, one critical and one high-severity, with reports of attacks already occurring in the wild.
Christiaan Beek, the senior director of threat analytics at Rapid7, has confirmed the exploitation of these vulnerabilities, with the most severe one, CVE-2024-27198, being exploited on a large scale. Attackers are infiltrating CI/CD servers, creating numerous accounts for future use, and registering usernames consisting of random alphanumeric characters. This situation raises concerns about compromised TeamCity instances and the potential for further cyberattacks.
Internet monitoring data from Shadowserver reveals that there are still 1,182 TeamCity servers exposed to the internet and vulnerable to these security flaws. The United States and Germany host the majority of these vulnerable servers, indicating a widespread risk of exploitation.
To address these vulnerabilities, users running on-premises versions of TeamCity prior to 2023.11.4 are strongly advised to apply the necessary patches promptly. The ease of exploitation and the possibility of software supply chain attacks underscore the urgent need for mitigation efforts.
The disclosure of these vulnerabilities has sparked a debate within the cybersecurity community, particularly regarding the handling of vulnerability disclosure between JetBrains and Rapid7. JetBrains opted for a coordinated approach, intending to release patches to customers before making detailed vulnerabilities public, while Rapid7 favored immediate disclosure for transparency.
The disagreement between the two parties led to Rapid7 publishing a disclosure timeline that highlighted their differing disclosure policies. JetBrains defended their decision, emphasizing their commitment to customer protection, while Rapid7 believed in the importance of transparency and timely information sharing.
Despite the conflicting approaches, both JetBrains and Rapid7 share the goal of safeguarding users against cyber threats. It is essential for organizations to stay informed about security updates and prioritize patching to defend against potential attacks exploiting TeamCity vulnerabilities.