BianLian Exploits TeamCity Flaws for Ransomware

by ·

GuidePoint Security, a cybersecurity firm, has uncovered that the BianLian group is exploiting vulnerabilities in the JetBrains TeamCity software to carry out ransomware attacks.

Experts have documented a sequence of attacks initiated through the exploitation of TeamCity instances via vulnerabilities CVE-2024-27198 (with a CVSS score of 9.8) or CVE-2023-42793 (also with a CVSS score of 9.8). This exploitation allowed the attackers to gain initial access to the system, create new accounts on the build server, and execute malicious commands for further penetration and lateral movement within the network. It remains unclear which of the two vulnerabilities was exploited for entry.

BianLian backdoor

C2IntelFeeds association of IP Address to BianLian Infrastructure

A distinctive feature of the BianLian attacks is the use of a specially crafted backdoor for each victim, written in the Go programming language, alongside the implementation of remote access tools – AnyDesk, Atera, SplashTop, and TeamViewer.

The BianLian backdoor, tracked by Microsoft as BianDoor, became the focus after several unsuccessful attempts to deploy a standard Go backdoor. The cybercriminals switched to a Living off the Land (LotL) strategy, utilizing a PowerShell implementation of their backdoor, which offers nearly identical functionality. The obfuscated PowerShell backdoor creates a TCP socket for further communication with a Command and Control (C2) server, allowing hackers to perform arbitrary actions on the infected host for ransomware purposes.

It is noted that CVE-2023-42793 has already been used in attacks on unpatched TeamCity servers. Exploiting the vulnerability enables an unauthenticated hacker to achieve remote code execution (RCE) without user interaction. According to the Cybersecurity and Infrastructure Security Agency (CISA), gaining access to TeamCity allows an attacker to escalate privileges, navigate through networks, install additional backdoors, and ensure long-term access to compromised networks, particularly those belonging to software developers.

The CVE-2024-27198 flaw, identified in early March, affects all versions of TeamCity On-Premises up to 2023.11.3 inclusive. The vulnerability allows an unauthenticated attacker with HTTP(S) access to the TeamCity server to bypass authentication and gain administrative control over the server. Compromising a TeamCity server grants the attacker complete control over all TeamCity projects, builds, agents, and artifacts, making it an ideal tool for conducting supply chain attacks.

Tags: