Skip to content Skip to footer

There have been reports of ransomware attacks carried out by malicious actors exploiting vulnerabilities in JetBrains TeamCity.

GuidePoint Security's recent discovery reveals that the cybercriminals responsible for the BianLian ransomware have exploited in JetBrains TeamCity software to carry out extortion attacks. The attack begins with exploiting a TeamCity server and deploying a PowerShell variant of the BianLian backdoor. Although the ransomware first surfaced in June 2022, it has shifted to conducting only extortion-based attacks after a decryptor was released in January 2023.

The attack chain observed by the firm involves exploiting a vulnerable TeamCity instance using either -2024-27198 or CVE-2023-42793 to gain initial access to the system. Once access is achieved, the attackers create new users in the build server and execute malicious commands for further exploitation and lateral movement. The exact used by the threat actors is still unknown.

BianLian attackers are known for using a custom backdoor written in Go, which they use to drop remote desktop tools like AnyDesk, Atera, SplashTop, and TeamViewer. Microsoft refers to this custom backdoor as BianDoor.

After several failed attempts to execute their standard Go backdoor, the attackers switched to a PowerShell version of their backdoor, which provides similar functionality. The PowerShell backdoor, named “web.ps1,” is designed to establish a TCP socket for communication with a command-and-control server, allowing the attackers to carry out various actions on the infected system.

The disclosure of this attack comes as VulnCheck released proof-of-concept exploits for a critical (CVE-2023-22527) in the Atlassian Confluence Data Center and Confluence Server. This flaw can lead to in a fileless manner, allowing the attackers to load the Godzilla web shell directly into memory. In recent months, this has been used to deploy C3RB3R ransomware, cryptocurrency miners, and remote access trojans, indicating widespread exploitation.

VulnCheck's Jacob Baines noted that there are multiple ways to this , with some being more stealthy than others. This highlights the importance of regularly patching and updating software to prevent cyberattacks.

In conclusion, it is crucial for organizations to regularly update and patch their software in light of the threat actors behind the BianLian ransomware exploiting in JetBrains TeamCity software to carry out their extortion attacks.

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

I have photographic memory! It's a curse!Nikon

Deitasoft © 2024. All Rights Reserved.