March 11, 2024 at 11:45AM
Recent disclosure of a critical TeamCity vulnerability, CVE-2024-27198, led to ransomware attacks after Rapid7 and JetBrains controversy. Rapid7 publicly detailed the vulnerabilities to ensure transparency, after JetBrains fixed them without informing Rapid7. Threat actors launched attacks soon after disclosure, with some servers compromised and files encrypted. JetBrains blamed Rapid7 for customers’ compromised systems.
From the meeting notes, we can gather that a serious vulnerability in TeamCity build management and continuous integration server, labeled as CVE-2024-27198, has been exploited in ransomware attacks. The product’s developer, JetBrains, announced fixes for this vulnerability and another one, CVE-2024-27199, on March 4. Rapid7, which discovered the vulnerabilities, made the details public after JetBrains announced the fixes due to concerns about potential silent patching by JetBrains.
Following the disclosure, threat actors began targeting CVE-2024-27198, and mass exploitation was observed by March 6. A ransomware group named BianLian, known for targeting critical infrastructure, may have exploited the vulnerability for initial access. JetBrains reported that some customers managed to install the patches before the attacks began, while others reported compromised servers and ransomware incidents. The company blamed Rapid7 for the customer system compromises and highlighted that previous vulnerabilities in its products were not exploited as commonly or quickly as CVE-2024-27198.
JetBrains claims to have taken steps to make patch analysis more difficult, providing more time for customers to install the fixes before malicious exploitation commenced.
Please let me know if you need any further details or clarifications.