Attackers are exploiting JetBrains TeamCity flaw to deliver a variety of malware

2024-03-21 09:57

Attackers are exploiting the recently patched JetBrains TeamCity auth bypass vulnerability to deliver ransomware, cryptominers and remote access trojans, according to Trend Micro researchers.

CVE-2024-27198, an authentication bypass vulnerability affecting the TeamCity server, has been disclosed and fixed in early March, along with CVE-2024-27199 - a directory traversal vulnerability in the same instance.

At the time, attackers were already seen dropping Jasmin ransomware, which is an open-source tool that imitates WannaCry and is used by security teams to simulate ransomware attack.

Trend Micro researchers have outlined various attackers exploiting the flaw and delivering different types of malicious payloads.

Some attackers also deployed Cobalt Strike beacons, to prepare the stage for future activities.

"The attempt to add a user to the local Administrators group is particularly concerning, since it could grant elevated privileges to attackers and help them establish a foothold in the system that can be used to maintain access over an extended period," they explained.

News URL

https://www.helpnetsecurity.com/2024/03/21/exploiting-cve-2024-27198/

#malware #CVE-2024-27199 #CVE-2024-27198

Related Vulnerability

DATE	CVE	VULNERABILITY TITLE	RISK
2024-03-04	CVE-2024-27199	In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible	0.0
2024-03-04	CVE-2024-27198	Unspecified vulnerability in Jetbrains Teamcity In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible network low complexity jetbrains critical	9.8

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Jetbrains		32	28	244	52	15	339