Rogue Accounts Surge as JetBrains TeamCity Faces Mass Exploitation

A critical severity authentication bypass vulnerability in the on-premise version of JetBrains’s TeamCity continuous integration/continuous delivery (CI/CD) solution is now under mass exploitation.

Amid escalating concerns, security experts are urging immediate action to address the critical severity authentication bypass vulnerability discovered in the on-premise version of JetBrains’s TeamCity CI/CD solution. With reports indicating widespread exploitation, organizations are advised to implement patches promptly to mitigate potential risks.

According to one cybersecurity researcher, 1,700 TeamCity instances have still not been updated, and as many as 1,440 of those have been compromised, providing threat actors with sensitive details such as credentials and source code.

The severity of one of the vulnerabilities, labeled as CVE-2024-27198, cannot be overstated, as it carries a near-maximum CVSS rating of 9.8 out of 10.

This particular flaw targets the authentication mechanism within TeamCity’s Web component, allowing attackers to bypass authentication measures entirely. Researchers from Rapid7, who identified and reported the vulnerability to JetBrains, have characterized its implications as dire. Exploitation of CVE-2024-27198 could empower remote, unauthenticated attackers to execute arbitrary code, effectively seizing full control of compromised instances. The gravity of this threat underscores the urgent need for organizations to swiftly implement patches and fortify their security posture against potential exploits.

TeamCity Developers: Prime Targets for Cyber Attacks

The quick mass exploitation of this vulnerability highlights threat actors’ interest in compromising CI/CD solutions used by developers to automate the development and deployment of software products.

Since these servers usually contain source code related to various projects, their compromise could lead to potential supply chain attacks if malicious code inserted by threat actors goes undetected and is subsequently installed by users. Additionally, sophisticated threat actors with access to source code can identify zero-day vulnerabilities for future exploitation.

It would appear that the administrators of the identified unpatched TeamCity servers were not quick enough to apply the appropriate updates to mitigate the vulnerability. Administrators must maintain a high patching cadence for these types of solutions, especially if they are exposed to the internet.

Given the many systems and devices administrators have to keep track of, administrators should consider adopting a service that automatically notifies when vulnerable software and appliances are detected in their environment. This saves valuable time and significantly reduces the chance threat actors have to target vulnerable systems before they are patched.

CVE-2024-27199, the other vulnerability that JetBrains disclosed, is a moderate-severity authentication bypass flaw in the same TeamCity Web component. It allows for a “limited amount” of information disclosure and system modification, according to Rapid7.

With approximately 30,000 organizations relying on TeamCity to streamline their build, testing, and deployment workflows within CI/CD environments, the recent discovery of vulnerabilities adds to growing apprehension. Previous incidents, including CVE-2024-23917 in February 2024, and CVE-2023-42793, exploited by Russia’s Midnight Blizzard group in attacks last year, have heightened awareness of the platform’s susceptibility to exploitation. These recurring issues underscore the critical need for robust security measures and prompt updates to safeguard against potential breaches.

Armed with the newly discovered vulnerabilities, attackers can exploit exposed TeamCity servers easily, leveraging search engines like Shodan and FOFA for reconnaissance. Despite the presence of honeypot servers, legitimate instances can still be found. Exploitation, particularly of CVE-2024-27198, is straightforward, requiring just a single HTTP request.

This allows attackers to create admin accounts or access tokens, leading to complete server takeover, including remote code execution on the target OS. With admin privileges, attackers gain control over all managed resources, while further exploitation avenues include deploying malicious plugins or leveraging debugging APIs for executing arbitrary commands. Such attacks can extend deeper into networks or establish persistent access on compromised servers.

High-Severity Threats Plague JetBrains TeamCity

CrowdStrike’s threat hunting group director disclosed on March 5th several instances of threat actors exploiting the two vulnerabilities to deploy a modified version of Jasmin. Jasmin, characterized as a WannaCry clone, is an open-source tool often utilized by red-team testers to simulate ransomware attacks realistically. This development underscores the severity of the TeamCity vulnerabilities and the potential for significant repercussions if left unaddressed.

LeakIX, an aggregator of breach and leak data, has independently reported a concerning discovery. Their findings indicate a significant number of exposed TeamCity instances on the web, with a startling 1,711 instances detected.

The nonprofit Internet-monitoring site ShadowServer.org documented exploitation activity for CVE-2024-27198 beginning on March 4th, just a day after JetBrains disclosed the flaw. This rapid escalation in exploitation underscores the critical urgency for organizations to address and mitigate the vulnerabilities in their TeamCity instances.

“If running JetBrains TeamCity on-prem — make sure to patch for latest CVE-2024-27198 (remote auth bypass) & CVE-2024-27199 vulns NOW!,” Shadowserver warned. The volunteer-based cyber threat intelligence organization reported detecting 1,182 instances of TeamCity, some of which might have a patch in place already. It identified the top affected countries as the US with 298 instances, and Germany with 188.

Mitigation

Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software like TeamCity. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities. Covalence users have been automatically notified via the Covalence Portal if a vulnerable version of TeamCity was detected in their environment.

Field Effect strongly encourages all other users of affected on-premise TeamCity deployments to install the latest security patch as soon as possible per JetBrains’ advisory.

---

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it.