Ransomware, Vulnerability Management, DevOps

Open-source ransomware, RATs deployed on compromised TeamCity servers

A JetBrains TeamCity authentication bypass vulnerability is being leveraged to deploy open-source ransomware, remote access tools (RATs), cryptominers and Cobalt Strike beacons, according to Trend Micro research published Tuesday.

Jasmin ransomware, SparkRAT backdoors and XMRig cryptocurrency miners were among the post-exploitation payloads observed by Trend Micro, with the first signs of active exploitation appearing one day after the vulnerability was disclosed, Trend Micro researchers told SC Media.

“We’ve seen multiple malicious actors using them in their attacks, which shows that once new vulnerabilities are disclosed, and public proof-of-concept codes are published, we regularly start seeing many attacks by many adversaries taking advantage of these quickly,” said Trend Micro Vice President of Threat Intelligence Jon Clay.

The critical vulnerability, tracked as CVE-2024-27198, along with a high-severity directory traversal flaw tracked as CVE-2024-27199, were fixed and disclosed by JetBrains on March 4.

The most severe vulnerability enables an unauthenticated attacker to create an administrator account and achieve remote code execution on on-premises instances of the TeamCity continuous integration and continuous development (CI/CD) platform.

Rapid7, which discovered the bugs, published its analysis of the flaws on the same day as JetBrains’ disclosure, following disagreement between the companies about the disclosure timeline. A proof-of-concept (PoC) exploit module was published by Rapid7 on GitHub a day later.

TeamCity attackers commandeer legitimate open-source software

The payloads identified by Trend Micro all involve the hijacking of legitimate software tools by cybercriminals, with the likely goal of financial gain. Jasmin, SparkRAT and XMRig are all open-source tools available on GitHub.

“Many adversaries will utilize open-source tools in their attacks, so this isn’t unique to many of the attacks we see. Attackers want to maximize their profit and as such, developing their own tools costs them, so using open-source tools allows them both the ability to access tools easily, but also helps them profit more from their attacks,” Clay said.

The Jasmin ransomware is described by its creator Siddhant Gour as a “WannaCry clone” and is designed as a red teaming tool for simulating ransomware attacks, with both the encryptor and decryptor available.

The malicious variant described by Trend Micro encrypts victims’ files and adds the extension “.lsoc.” The .html ransom note file left by the threat actors was found to have its source code obfuscated, with the text of the note generated from a JavaScript process, likely to avoid detection.  

“Often threat actors will use pieces and components from open-source malware as building blocks for new strains of the malware or new malware families,” noted Peter Girnus, senior threat researcher at Trend Micro’s Zero Day Initiative, in an email to SC Media. “Similar to viruses, often the best ‘genetic’ or ‘code’ attributes are repurposed for new campaigns.”

Threat actors deploying the SparkRAT backdoor and XMRig cryptominer on TeamCity instances were also seen using living-off-the-land binary (LOLBin) tools to avoid detection.

In the case of SparkRAT, a PowerShell command was used to download and execute a batch file called “win.bat,” which then uses the Windows certificate management tool certutil.exe to download and execute the SparkRAT before deleting the original batch file.

A similar method of batch file and certutil use was observed in the deployment of XMRig. The three components of the cryptominer — JavaAccessBridge-64.exe, config.json and WinRing0x64.sys — were dropped in the public videos directory of the target system.   

Additionally, threat actors also deployed Cobalt Strike beacons on vulnerable servers. Cobalt Strike, a legitimate penetration testing tool that has long been misused by ransomware groups and other cybercriminals, can be used to establish persistence on the server and facilitate command and control (C2) communications.

Due to its role as a CI/CD platform used by many software developers, exploitation of TeamCity vulnerabilities puts valuable source code, software builds and artifacts at risk. And TeamCity servers an attractive target for threat actors, as noted by the FBI, CISA, NSA and other international authorities in a joint advisory about the Russia-backed threat actor CozyBear’s exploitation of a different critical TeamCity vulnerability last year.

More than 1,400 TeamCity servers compromised, 600 still unpatched

As noted by Trend Micro, exploitation of CVE-2024-27198 began shortly after its disclosure. More than 1,400 TeamCity servers were found to be compromised less than a week after the patch became available, according to LeakIX, which reported that attackers were creating between three and 300 rogue admin accounts per server.  

CVE-2024-27198 has also been used by the ransomware gang BianLian, as reported by GuidePoint Security researchers last week. BianLian used living-off-the-land tactics to deploy a novel backdoor, and also targeted TeamCity CVE-2023-42693, which was patched last September.

More than 600 TeamCity instances vulnerable to CVE-2024-27198 were detected by the security organization Shadowserver as of Tuesday, down from more than 1,500 detected on March 5. Users of on-premises version of TeamCity must upgrade to version 2023.11.4 to prevent exploitation.

TeamCity Solutions Engineer Daniel Gallo authored a blog post last Thursday outlining steps users can take if they suspect their server has been compromised.

Gallo also wrote a blog last Monday describing cases of customers falling victim to ransomware and other attacks despite attempting to patch. The post explains the thought process behind JetBrain’s coordinated disclosure policy and reiterates earlier criticism of Rapid7’s decision to publish a PoC exploit shortly after the patch.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.