Skip to content Skip to footer

Threat Actors Exploit JetBrains TeamCity Flaw for Ransomware and Cryptocurrency Attacks

In recent news, it has been reported that cybercriminals are exploiting the recently disclosed security vulnerabilities in JetBrains TeamCity software to deploy various types of , including , cryptocurrency miners, Cobalt Strike beacons, and a remote access trojan known as Spark RAT. This attack is made possible by exploiting -2024-27198, which allows attackers to bypass authentication measures and gain administrative control over the affected servers. Once the attackers gain access, they install that can communicate with a (C&C) server and execute additional commands. These commands include deploying Cobalt Strike beacons and remote access trojans (). Ultimately, the attackers install as the final payload to encrypt files and demand ransom payments from victims.

According to Trend Micro, the attackers behind this attack are associated with the BianLian and Jasmin families. They have also been seen dropping the XMRig cryptocurrency miner and Spark RAT. Organizations using TeamCity for their CI/CD processes are advised to update their software immediately to protect against potential threats.

This news comes as ransomware remains a profitable and persistent threat, with new strains emerging in the wild. Some recently discovered ransomware strains include DoNex, Evil Ant, Lighter, RA World, and WinDestroyer. Despite enforcement actions against notorious groups like LockBit, they still accept affiliates into their program. WinDestroyer, in particular, is notable for its ability to encrypt files and render targeted systems unusable with no means of recovery, suggesting that the threat actors behind it may have geopolitical motivations.

The FBI's Internet Crime Complaint Center (IC3) reported 2,825 ransomware infections in 2023, resulting in over $59.6 million in adjusted losses. Of these, 1,193 were reported by organizations in critical infrastructure sectors. The top five ransomware variants affecting essential infrastructure in the U.S. include LockBit, BlackCat (aka ALPHV or Noberus), Akira, Royal, and Black Basta.

Moreover, there has also been increased collaboration between different ransomware groups. Some have even started sharing their malicious tools. This has led to the emergence of “ghost groups,” where one ransomware operation outsources its skills to another, as seen in the case of Zeon, LockBit, and Akira.

In a recent report, Symantec, owned by Broadcom, noted that ransomware activity continues to rise, with threat actors becoming more creative and sophisticated in their attacks. Individuals and organizations must remain vigilant and proactively safeguard their systems against these evolving threats.

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

I don't like the idea that I’m not in control of my lifeNeo

Deitasoft © 2024. All Rights Reserved.