Critical TeamCity Vulnerability Exploitation Started Immediately After Disclosure

Critical TeamCity Vulnerability Exploitation Started Immediately After Disclosure

March 7, 2024 at 06:27AM

In March, JetBrains announced patches for two critical vulnerabilities in TeamCity, leading to immediate exploitation attempts due to miscommunication between Rapid7 and JetBrains. Rapid7 disclosed the flaws to prevent silent patching, while JetBrains wanted customers to install patches first. Exploitation attempts were seen from numerous IPs, highlighting the urgency of the situation.

From the provided meeting notes, the key points are as follows:

– Threat actors swiftly targeted a critical TeamCity vulnerability after patches were announced due to miscommunication during the responsible disclosure process.
– JetBrains announced patches for two authentication bypass vulnerabilities affecting its TeamCity server, one of which is critical and the other is high severity.
– Rapid7 discovered the flaws and expressed concerns about miscommunication with JetBrains, which led to an early disclosure of the technical details and availability of patches.
– Exploitation attempts targeting the vulnerabilities were observed immediately after their disclosure, with PoC exploits emerging the next day.
– Several organizations reported scanning and tracking exploitation attempts on vulnerable TeamCity instances, with a significant number of unpatched hosts identified.
– It is uncertain who is behind the attacks, but given past occurrences, both profit-driven cybercriminals and state-sponsored cyberspies may be responsible.

Let me know if you need further analysis or any other assistance.

Full Article