BianLian group exploits TeamCity again, deploys PowerShell backdoor
March 11, 2024 – Published on CSO Online
The BianLian extortion group was recently seen exploiting vulnerabilities in the TeamCity continuous integration server for initial access into networks. In the latest attacks the group also deployed a previously unknown backdoor written in PowerShell that seems to be a reimplementation of their older Golang backdoor.
“As we have seen throughout 2023 and into 2024, BianLian continues to prove how they can adapt to a changing environment, especially in regards to the exploitation of emerging vulnerabilities,” researchers from GuidePoint Security said in a new report.
BianLian is a ransomware group that emerged in 2022 and has primarily targeted organizations from healthcare, manufacturing, professional, and legal services sectors from the US and Europe. The group originally used double extortion tactics, but it switched to operations that involve only data leak extortion after researchers released a decryptor for its file encrypting program.
During a recent investigation in a customer environment, GuidePoint’s incident response team determined that BianLian attackers broke in by exploiting a vulnerability in TeamCity, a commercial CI/CD tool developed by JetBrains that’s used to automate the building and testing of software code. Because the logs were missing from the server, the GuidePoint researchers didn’t manage to determine if the vulnerability was one of the two critical ones patched by JetBrains last week (CVE-2024-27198) or an older one patched last year (CVE-2023-42793).
What’s clear is that the exploit allowed the attackers to create new users in TeamCity and execute malicious commands on the underlying system with the privileges of TeamCity’s service account. Native Windows commands were then used to perform additional reconnaissance and discover additional software build servers on the network that could be targeted.
Read More HERE.