3rd Party Risk Management , Cybercrime , Fraud Management & Cybercrime
Hackers Exploit TeamCity Bug to Create Admin Accounts
Researchers Say PowerShell Scripts and Unidentified Malware Strains DeployedHackers are mass-exploiting a recently disclosed critical authentication bypass vulnerability in on-premises versions of TeamCity. JetBrains fixed the bugs in a Monday update, but researchers warn users running unpatched instances to assume compromise.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
Search engine for exposed device misconfigurations and vulnerabilities LeakIX on Thursday said that while scanning for compromised TeamCity servers it observed 1,711 vulnerable instances of which "1442 show clear signs of rogue user creation. If you were/are still running a vulnerable system, assume compromise."
In light of the detailed description of the vulnerability and the corresponding exploit in the public domain that demonstrated a complete server takeover maneuver after gaining administrative privileges for a server, researchers earlier in the week already warned of immediate real-world exploitation of TeamCity's CVE-2024-27198 bug (see: JetBrains' TeamCity Bugs Could Lead to Server Takeover).
Managed security platform Deepwatch confirmed a compromise of an unnamed finance and insurance sector organization through the TeamCity vulnerability, which was used to gain initial access and move laterally to other systems. "After gaining initial access, the threat actor created an admin account, implanted a PowerShell script, and deployed an unidentified malware strain," Deepwatch said.
The threat actor created a "TeamCityService" account on an internet-exposed TeamCity instance. Pivoting to a software build environment within TeamCity, the actor implanted the un-retrieved SysUpdate.exe
executable in the C:
directory via winpty-agent.exe
.
After establishing a foothold, the actor scheduled daily execution of SysUpdate.exe
at 10:00 a.m. in build environment 1 and created the "Administralor" user, adding it to 24 groups. Subsequently, the actor dropped the web.ps1
PowerShell script, though its execution was undetected.
The threat actor then implanted the same malicious executable in another build environment 2 of the compromised organization but no further malicious activity from the "Administralor" account was observed after that.
The unsigned SysUpdate.exe
remained elusive and attempts to retrieve it failed, Deepwatch said. The threat actor also extracted Local Security Authority secrets, repeatedly altering the local administrator account's password. LSA secrets encompass various passwords including user credentials, service accounts, Internet Explorer, RAS connections, SQL, SYSTEM account and private user data such as Encrypted File System encryption keys.
Threat intelligence firms Sophos and GreyNoise also observed active attacks or attack attempts against multiple customers, and GreyNoise observed tens of unique IPs every day since its public disclosure, from where these attacks originate.
JetBrains initially announced the release of TeamCity 2023.11.4, which addresses the two vulnerabilities, in a terse blog post. "We do not share the details of security-related issues to avoid compromising clients that keep using previous bugfix and/or major versions of TeamCity," it said.
But Rapid7, which is attributed with the discovery of this bug, released a detailed technical advisory on Monday based on its own vulnerability disclosure policy. This advisory included a proof of concept that demonstrated the TeamCity vulnerability exploitation, forcing JetBrains to release a second blog post disclosing the severity of the problems and the consequences of exploiting the bug.
Hours after Rapid7's publication, several other POC exploit codes targeting CVE-2024-27198 were published on GitHub -POC 1, POC 2 and POC 3 - forcing researchers to question Rapid7's early full POC release. One of the POCs, if successful, added a new admin user while the other two performed remote code execution and also included functionality to add an admin user.
With a number of different POCs available publicly and a spike in exploitation attempts, JetBrains and researchers advised customers to apply TeamCity's upgrades as soon as possible.