JetBrains TeamCity under attack by ransomware thugs after disclosure mess – Source: go.theregister.com

Security researchers are increasingly seeing active exploit attempts using the latest vulnerabilities in JetBrains’ TeamCity that in some cases are leading to ransomware deployment.

Brody Nisbet, director of threat hunting operations at security shop CrowdStrike, xeeted on Tuesday that telemetry was already showing signs of attacks using a suspected modified version of Jasmin ransomware.

Jasmin is an open source red teaming tool that mimics WannaCry and is designed to help organizations simulate ransomware attacks, but it has been modified in the past for malicious purposes.

The GoodWill ransomware variant was one such example from 2022 that locked victims out of their files but instead of demanding a ransom payment to a crypto address, victims had to fulfill good deeds like donating money to and feeding children in need.

El Reg asked Nisbet for further information about what he saw but time zone differences meant we couldn’t immediately connect.

Other researchers have chimed in to say attacks using the pair of vulnerabilities, one critical and one high-severity, are well under way.

Christiaan Beek, senior director of threat analytics at Rapid7, noted on AttackerKB that both TeamCity vulnerabilities were spotted being exploited in the wild.

Security misconfiguration search engine LeakIX also said CVE-2024-27198, the most severe of the two vulnerabilities, was being exploited at a mass scale, with attackers breaking into CI/CD servers and creating hundreds of accounts for later use.

The usernames being registered post-exploit appear to be strings comprised of eight random alphanumeric characters, which, if spotted in a TeamCity instance, could be an indicator of compromise.

According to the latest available data from internet monitoring Shadowserver, there are still 1,182 TeamCity servers exposed to the internet and vulnerable to the security issues. The US and Germany host the highest numbers of exposed servers with 298 and 188 respectively.

• Belgian ale legend Duvel’s brewery borked as ransomware halts production
• VMware urges emergency action to blunt hypervisor flaws
• Here’s something else AI can do: expose bad infosec to give cyber-crims a toehold in your organization
• Lawsuit claims gift card fraud is the gift that keeps on giving, to Google

Those who run on-prem versions of TeamCity prior to 2023.11.4 are advised to apply the patches immediately. Given the nature of the affected product and ease of exploitation, the potential for software supply chain attacks is an acute concern.

Due to the uncoordinated disclosure of the two vulnerabilities between JetBrains and the researchers at Rapid7 who first discovered and reported the issues this week, all the information that was required for an attacker to develop a working exploit was made public on the same day the patches were released.

Alleged silent patching causes infosec stir

In case you missed the drama on Tesday, March 5, Rapid7 was accused of throwing JetBrains under the bus by publishing a disclosure timeline that showed the two vendors’ contrasting policies when it comes to publishing details of vulnerabilities.

The long and short of it was that JetBrains told Rapid7 it wanted to release patches to customers and give them time to apply them before publishing details of the vulnerabilities that could lead to the development of exploit code.

Rapid7’s policy is to publish vulnerabilities in full at the time patches are released to maintain full community transparency. JetBrains argued that in this case, given the severity of the issues and the potential consequences of a successful attack, customers should be given time to patch while the world is none the wiser about the issues.

After Rapid7 saw that JetBrains went ahead and did things its own way, releasing patches with little technical detail, it published its entire report.

The situation has divided the cybersecurity community given that both parties have valid arguments for their respective policies.

JetBrains said it “never had any intention to release a fix silently without making the full details public,” it just wanted to give its customers time to apply the fixes before attacks could spread.

“This suggestion was rejected by the Rapid7 team who published full details of the vulnerabilities (and how to exploit them) a few hours after we had released a fix to TeamCity customers.”

There appears to be some confusion between the two companies about JetBrains’ conduct, which it maintains was in the best interests of its customers. 

Rapid7 most likely saw the patches go live over the weekend without an accompanying security advisory and assumed the details would never be publicized by the vendor so it took it upon itself. JetBrains denied this to be the case. ®