Ransomware Actors Exploit Critical Bug, Target DevOps Tool – Source: www.govinfosecurity.com

DevSecOps
,
Fraud Management & Cybercrime
,
Next-Generation Technologies & Secure Development

Multiple Organizations Victimized Over the Weekend

Mihir Bagwe (MihirBagwe) •
October 3, 2023    

Ransomware hackers are using a critical flaw in a DevOps tool days after developer JetBrains issued a critical security update to patch its TeamCity build management and continuous integration server.

See Also: Live Webinar Tomorrow | Cyber Resilience: Recovering from a Ransomware Attack

JetBrains disclosed on Sept. 20 a vulnerability tracked as CVE-2023-42793 allowing remote code execution on its continuous integration and continuous delivery/continuous deployment servers.

“Many popular ransomware groups started to weaponize CVE-2023-42793 and added the exploitation phase in their workflow,” said threat intelligence firm Prodaft, on social media network X, formerly Twitter.

The firm said it detected multiple organizations affected over the last three days by hackers exploiting the bug. “Unfortunately, most of them will have a huge headache in the upcoming weeks,” Prodaft said.

The vulnerability allows unauthenticated attackers to execute arbitrary code on the TeamCity on-premises server. Attackers can steal source code, service secrets and private keys, said SonarSource, which first identified the flaw.

The vulnerability affects all prior versions of TeamCity’s on-premises CI/CD server, used by 30,000 users worldwide. Servers such as TeamCity are high-value targets for attackers.

Malicious activity tracking group Shadowserver on Sunday traced nearly 1,300 unpatched TeamCity servers, most of them in the United States.

At least 74 unique IP addresses have targeted internet-exposed JetBrains TeamCity servers, according to threat intelligence firm GreyNoise.

Rapid7 disclosed an exploit for the vulnerability that works against both Windows and Linux targets, the cybersecurity company said.