Attacks against two Security vulnerabilities in the TeamCity CI/CD platform they began in earnest just days after its developer, JetBrains, revealed the flaws on March 3.
The attacks include at least one campaign to distribute ransomware and another in which a threat actor appears to create administrator users on vulnerable instances of TeamCity for potential future use.
One of the vulnerabilities (identified as CVE-2024-27198) has a near-maximum CVSS severity score of 9.8 out of 10 and is an authentication bypass issue in the TeamCity Web component. The Rapid7 researchers who discovered the vulnerability and reported it to JetBrains described it as allowing an unauthenticated, remote attacker to execute arbitrary code to take complete control of the instances involved.
CVE-2024-27199the other vulnerability disclosed by JetBrains, is a moderate severity authentication bypass flaw in the same TeamCity Web component. According to Rapid7, it allows a “limited amount” of information disclosure and system changes.
TeamCity developers: a valuable target for attackers
Approximately 30,000 organizations use TeamCity to automate the build, test, and deployment processes for software projects in CI/CD environments. Like other recent TeamCity flaws, like CVE-2024-23917 in February 2024 and CVE-2023-42793that the Russian group Midnight Blizzard used in attacks last year (it is also known for the infamous SolarWinds supply chain attacks), the two new ones have caused considerable concern.
Concerns include the possibility of attackers abusing the flaws to take control of an organization’s software builds and projects to launch mass supply chain attacks.
“Attackers are realizing that tools like TeamCity for configuration deployment are an easy way to quickly propagate malicious code,” says Greg Fitzgerald, co-founder of Sevco Security. Many also use reliable tools like TeamCity to enable large-scale lateral movement, he says.
Stephen Fewer, principal security researcher at Rapid7, says that, armed with the new vulnerabilities, an attacker can use search engines like Shodan and FOFA to locate exposed TeamCity servers. One caveat is that there are a large number of honeypot servers masquerading as TeamCity servers, so bad actors may need to do extra work to find legitimate instances, he says.
Post-discovery exploitation is trivial, Fewer says. “CVE-2024-27198 can be exploited via a single HTTP request,” she says. This allows “an attacker to create a new administrator user account or access token on the system, and from there the attacker can exploit this to completely take control of the server, including remote code execution [RCE] on the target operating system.”
By creating a new administrator account on a vulnerable instance, an attacker can potentially access and modify all resources managed by TeamCity instances, including projects, build agents, and artifacts.
“Another avenue the attacker can use is to leverage their access to execute arbitrary commands on the underlying operating system to take full control of the server,” says Fewer. One way to do this is to deploy a malicious TeamCity plugin that hosts a payload of the attacker’s choosing. Another option is to leverage a debugging REST API available in some versions of TeamCity to run commands on the operating system. “From here, the attack can move deeper into the target’s network or establish persistence on the compromised server to maintain access,” says Fewer.
High severity JetBrains TeamCity threats
On March 5, the director of CrowdStrike’s threat hunting group reported that he had observed numerous cases where a threat actor had exploited the two defects to distribute what appeared to be a modified version of Jasmine, an open source tool that red team testers can use to simulate a real ransomware attack. Its maintainers have described Jasmin as a WannaCry clone.
Separately, LeakIX, a site that aggregates data on data breaches and leaks, reported detecting some 1,711 TeamCity instances exposed on the web, of which 1,442 showed signs of someone having created unauthorized user accounts on them via CVE-2024-27198. “If you were or are still using a vulnerable system, accept a compromise,” LeakIX noted on X, the platform formerly known as Twitter.
Meanwhile, the nonprofit Internet monitoring site ShadowServer.org reported observing exploitation activity for CVE-2024-27198 as of March 4, one day after JetBrains revealed the flaw.
“If you are running JetBrains TeamCity on-premises, be sure to install the patch for the latest vulnerabilities CVE-2024-27198 (remote authentication bypass) and CVE-2024-27199 NOW!,” Shadowserver warned. The voluntary cyber threat intelligence organization reported its detection 1,182 instances of TeamCity, some of which may already have a patch installed. The most affected countries are the United States with 298 cases and Germany with 188.