BianLian ransomware crew exploiting bugs in JetBrains’ TeamCity platform
March 12, 2024 – Published on SC Magazine
The BianLian ransomware gang is exploiting known bugs in JetBrains’ TeamCity software development platform to gain initial access to victims’ systems.
Researchers at GuidePoint Security said they recently observed an intrusion where BianLian attempted to deploy several malicious tools, including a novel PowerShell backdoor, after accessing a victim’s TeamCity server.
“As we have seen throughout 2023 and into 2024, BianLian continues to prove how they can adapt to a changing environment, especially in regards to the exploitation of emerging vulnerabilities,” the researchers said in a March 8 blog post.
The threat group’s TeamCity hack involved exploiting one of two critical severity authentication bypass vulnerabilities, one of which was patched this month (CVE-2024-27198) and the other last September (CVE-2023-42793).
“The threat actor identified a vulnerable TeamCity server and leveraged CVE-2024-27198/CVE-2023-42793 for initial access into the environment, creating users in TeamCity and invoking malicious commands under the TeamCity product’s service account,” GuidePoint Security’s researchers said.
Read More HERE.