The BianLian ransomware gang is exploiting known bugs in JetBrains’ TeamCity software development platform to gain initial access to victims’ systems.
Researchers at GuidePoint Security said they recently observed an intrusion where BianLian attempted to deploy several malicious tools, including a novel PowerShell backdoor, after accessing a victim’s TeamCity server.
“As we have seen throughout 2023 and into 2024, BianLian continues to prove how they can adapt to a changing environment, especially in regards to the exploitation of emerging vulnerabilities,” the researchers said in a March 8 blog post.
TeamCity flaws expose supply chain attack risk
The threat group’s TeamCity hack involved exploiting one of two critical severity authentication bypass vulnerabilities, one of which was patched this month (CVE-2024-27198) and the other last September (CVE-2023-42793).
“The threat actor identified a vulnerable TeamCity server and leveraged CVE-2024-27198/CVE-2023-42793 for initial access into the environment, creating users in TeamCity and invoking malicious commands under the TeamCity product’s service account,” GuidePoint Security’s researchers said.
“The logs required to determine which of the two CVEs the threat actor exploited were not available at the time of analysis.”
BianLian is known for deploying a custom backdoor, written in Go and specific to each of its victims, before installing remote management and access software for persistence and command and control. But GuidePoint Security observed a change of approach used in the TeamCity attack.
“After multiple failed attempts to execute their standard Go backdoor, the threat actor pivoted to living-off-the-land and leveraged a PowerShell implementation of their backdoor, which provides an almost identical functionality to what they would have with their Go backdoor,” the researchers said.
TeamCity manages organizations’ Continuous Integration and Continuous Deployment (CI/CD) software development pipeline — the process of building, testing and deploying code. The platform is used by about 30,000 organizations.
Compromising a TeamCity server could give threat actors access to a victim organization’s source code and signing certificates, giving them the ability to subvert software compilation and deployment processes to launch a supply chain attack, security and law enforcement agencies warned in December.
Adaptability makes BianLian a top 10 ransomware gang
Given its propensity to exploit the latest vulnerabilities, BianLian aptly takes its name from the ancient Chinese dramatic art of “face-changing” where performers wear brightly costumes and several masks that are quickly changed.
The gang emerged in 2022 as a double extortion ransomware group, demanding payment from victims to unlock encrypted files while using the threat of selling or publishing exfiltrating data as additional leverage.
But when Avast published a decryptor for the group’s encryption malware early last year, BianLian switched to only extorting payments to prevent data leaks.
According to a January analysis by Palo Alto Networks’ Unit 42, the group was one of the top 10 most active ransomware operators in 2023, based on the number of victims posted on its leak site. It primarily targeted the healthcare, manufacturing, professional and legal services sectors, mainly in the U.S. and Europe.
“Maintaining their tactics, techniques and procedures (TTPs) of infiltrating corporate networks, the BianLian group has shown adaptiveness to the ransomware market demands,” Unit 42’s researchers said in their analysis.
