March 7, 2024 at 11:39AM
Security researchers have observed increasing exploit attempts using the latest vulnerabilities in JetBrains’ TeamCity, leading to ransomware deployment. Telemetry indicates active attacks using modified Jasmin ransomware. The uncoordinated disclosure of vulnerabilities between JetBrains and Rapid7 has caused a stir in the cybersecurity community, highlighting contrasting policies regarding vulnerability disclosure. Users of affected software versions are urged to apply patches immediately.
Key Takeaways from the Meeting Notes:
– Security researchers are observing active exploit attempts using recent vulnerabilities in JetBrains’ TeamCity, leading to ransomware deployment in some cases.
– CrowdStrike’s director of threat hunting operations, Brody Nisbet, reported seeing signs of attacks using a modified version of Jasmin ransomware.
– Rapid7 and other researchers have noted the exploitation of TeamCity vulnerabilities in the wild, with one critical and one high-severity vulnerability being exploited at mass scale.
– Security misconfiguration search engine LeakIX reported that the most severe of the two vulnerabilities, CVE-2024-27198, was being exploited at mass scale, leading to compromised CI/CD servers and the creation of numerous accounts for future use.
– There are still 1,182 TeamCity servers exposed to the internet and vulnerable to the security issues, with the US and Germany hosting the highest numbers of exposed servers.
– Those using on-prem versions of TeamCity prior to 2023.11.4 are advised to apply patches immediately to mitigate the risk of software supply chain attacks.
– Rapid7 was accused of “throwing JetBrains under the bus” by publishing a disclosure timeline that contrasted the two vendors’ policies regarding vulnerability disclosure.
– JetBrains intended to give its customers time to apply patches before publishing full vulnerability details, whereas Rapid7’s policy is to publish vulnerabilities in full at the time patches are released to maintain community transparency.
– The differing approaches have led to a division within the cybersecurity community, with Rapid7 assuming that details would never be publicized by JetBrains, while JetBrains maintains that it never intended to release a fix silently without making full details public.
Let me know if you need further clarification on any of these points!