Security News > 2024 > March > Attackers are exploiting JetBrains TeamCity flaw to deliver a variety of malware

Attackers are exploiting JetBrains TeamCity flaw to deliver a variety of malware
2024-03-21 09:57

Attackers are exploiting the recently patched JetBrains TeamCity auth bypass vulnerability to deliver ransomware, cryptominers and remote access trojans, according to Trend Micro researchers.

CVE-2024-27198, an authentication bypass vulnerability affecting the TeamCity server, has been disclosed and fixed in early March, along with CVE-2024-27199 - a directory traversal vulnerability in the same instance.

At the time, attackers were already seen dropping Jasmin ransomware, which is an open-source tool that imitates WannaCry and is used by security teams to simulate ransomware attack.

Trend Micro researchers have outlined various attackers exploiting the flaw and delivering different types of malicious payloads.

Some attackers also deployed Cobalt Strike beacons, to prepare the stage for future activities.

"The attempt to add a user to the local Administrators group is particularly concerning, since it could grant elevated privileges to attackers and help them establish a foothold in the system that can be used to maintain access over an extended period," they explained.


News URL

https://www.helpnetsecurity.com/2024/03/21/exploiting-cve-2024-27198/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2024-03-04 CVE-2024-27199 Path Traversal vulnerability in Jetbrains Teamcity
In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible
network
low complexity
jetbrains CWE-22
7.3
2024-03-04 CVE-2024-27198 Unspecified vulnerability in Jetbrains Teamcity
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible
network
low complexity
jetbrains
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Jetbrains 32 16 236 121 46 419