Skip to content

BianLian Hackers Exploiting TeamCity Servers to Deploy Powershell Backdoor

March 11, 2024 – Published on Cyber Security News

The notorious hacking group BianLian, known for its sophisticated cyber attacks, has shifted its focus to extortion-only operations following the release of a decryptor by Avast in January 2023.

GuidePoint’s Research and Intelligence Team (GRIT) has been closely monitoring BianLian’s activities and, together with their Digital Forensics and Incident Response (DFIR) team, has uncovered a new method of attack involving the exploitation of TeamCity servers.

The attackers exploited vulnerabilities identified as CVE-2024-27198 and CVE-2023-42793 to gain initial access, although the specific CVE used remains undetermined due to unavailable logs.

This initial foothold allowed the threat actors to create users and execute malicious commands under the TeamCity service account.

Read More HERE.