Security News > 2024 > March > Attackers are exploiting JetBrains TeamCity flaw to deliver a variety of malware
Attackers are exploiting the recently patched JetBrains TeamCity auth bypass vulnerability to deliver ransomware, cryptominers and remote access trojans, according to Trend Micro researchers.
CVE-2024-27198, an authentication bypass vulnerability affecting the TeamCity server, has been disclosed and fixed in early March, along with CVE-2024-27199 - a directory traversal vulnerability in the same instance.
At the time, attackers were already seen dropping Jasmin ransomware, which is an open-source tool that imitates WannaCry and is used by security teams to simulate ransomware attack.
Trend Micro researchers have outlined various attackers exploiting the flaw and delivering different types of malicious payloads.
Some attackers also deployed Cobalt Strike beacons, to prepare the stage for future activities.
"The attempt to add a user to the local Administrators group is particularly concerning, since it could grant elevated privileges to attackers and help them establish a foothold in the system that can be used to maintain access over an extended period," they explained.
News URL
https://www.helpnetsecurity.com/2024/03/21/exploiting-cve-2024-27198/
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2024-03-04 | CVE-2024-27199 | Path Traversal vulnerability in Jetbrains Teamcity In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible | 7.3 |
2024-03-04 | CVE-2024-27198 | Unspecified vulnerability in Jetbrains Teamcity In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible | 9.8 |