Multiple threat actors are exploiting recently revealed security flaws in JetBrains TeamCity software to distribute ransomware, cryptocurrency miners, Cobalt Strike beacons, and a Golang-based remote access trojan called Spark RAT.
The attacks involve the exploitation of CVE-2024-27198 (CVSS score: 9.8) which allows an adversary to bypass authentication measures and gain administrative control over affected servers.
“Attackers are then able to install malware that can reach its command and control (C&C) server and execute additional commands such as deploying Cobalt Strike beacons and remote access trojans (RATs),” Trend Micro said in a new relationship.
“The ransomware can then be installed as a final payload to encrypt files and demand ransom payments from victims.”
Following the public disclosure of the flaw earlier this month, it was weaponized by threat actors associated with the BianLian and Jasmin ransomware families, as well as to take out cryptocurrency miner XMRig and Spark RAT.
Organizations that rely on TeamCity for their CI/CD processes are advised to update their software as soon as possible to protect themselves from potential threats.
The development comes as ransomware continues to be formidable and profitable, with new strains such as DoNex, Evil Ant, Lighter, RA World and WinDestroyer emerging in the wild, even as notorious cybercrime groups such as LockBit continue to accept affiliates into their program despite the law. coercive actions against them.
WinDestroyer, in particular, stands out for its ability to encrypt files and render targeted systems unusable without any means to recover data, raising the possibility that the threat actors behind it are geopolitically motivated.
“One of the key issues when addressing ransomware crime is the nature of the affiliate program, with actors often working for multiple RaaS groups at the same time,” Cisco Talos said. “Persistent, strategic efforts will be needed to significantly damage RaaS operations and weaken the regenerative power of these bands.”
Data shared by the US Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3) shows that 2,825 ransomware infections were reported in 2023, causing adjusted losses of more than $59.6 million. Of these, 1,193 came from organizations in the critical infrastructure sector.
The top five ransomware variants impacting critical infrastructure in the United States include LockBit, BlackCat (also known as ALPHV or Noberus), Akira, Royal, and Black Basta.
In addition to giving a bigger share of the proceeds to court affiliates, the landscape is seeing more collaboration between different ransomware groups sharing their malicious tools with each other.
These partnerships also manifest themselves in the form of ghost groups, where one ransomware operation outsources its expertise to another, as in the case of Zeon, LockBit and Akira.
Symantec, owned by Broadcom, in a report published last week, revealed that “ransomware activity remains on the rise despite the number of attacks claimed by ransomware authors declining by just over 20% in the fourth quarter of 2023 “.
According to statistics published by NCC Group, the total number of ransomware cases in February 2024 increased by 46% compared to January, from 285 to 416, led by LockBit (33%), Hunters (10%), BlackCat (9 %), Qilin (9%), BianLian (8%), Play (7%) and 8Base (7%).
“Recent law enforcement activity has the potential to polarize the ransomware landscape, creating clusters of smaller RaaS operators that are highly active and harder to detect due to their agility in forums and underground markets,” Matt Hull , global head of threat intelligence at NCC Group , said.
“It appears that the attention drawn by larger ransomware ‘brands’, such as LockBit and Cl0p, is leading to new, smaller, generic RaaS affiliate partnerships becoming the norm. As a result, detection and attribution may become more difficult and Affiliates could easily switch providers due to low entry thresholds and minimal monetary involvement.”
Added to this is the fact that threat actors have found new ways to infect victims by primarily exploiting vulnerabilities in public-facing applications and evading detection, as well as refining their tactics by increasingly targeting legitimate software and living outside earth (LotL). techniques.
Also popular among ransomware attackers are utilities such as TrueSightKiller, GhostDriver, and Terminator, which take advantage of the Bring Your Own Vulnerable Driver (BYOVD) technique to disable security software.
“BYOVD attacks are attractive to threat actors, as they can provide a means by which to disable AV and EDR solutions at the kernel level,” Sophos researchers Andreas Klopsch and Matt Wixey said in a report this month. “The sheer amount of known vulnerable drivers means that attackers have a wide range of options to choose from.”