TeamCity Flaw Leads to Surge in Ransomware, Cryptomining, and RAT Attacks

TeamCity Flaw Leads to Surge in Ransomware, Cryptomining, and RAT Attacks

March 20, 2024 at 07:30AM

Multiple threat actors are exploiting security flaws in JetBrains TeamCity software to deploy ransomware, cryptocurrency miners, Cobalt Strike beacons, and a Golang-based remote access trojan. The attacks entail the exploitation of CVE-2024-27198, enabling adversaries to gain administrative control over affected servers. Organizations using TeamCity are urged to update their software promptly. Ransomware remains profitable, with new strains emerging, and threat actors continuing to find novel ways to infect victims and evade detection.

Summary:
– Threat actors are exploiting security flaws in JetBrains TeamCity software to deploy ransomware, cryptocurrency miners, Cobalt Strike beacons, and Spark RAT.
– The attacks involve the exploitation of CVE-2024-27198, enabling adversaries to bypass authentication and gain administrative control over affected servers.
– Trend Micro warns that attackers are using this vulnerability to install malware, reach out to command-and-control servers, and deploy additional commands.
– Organizations using TeamCity for CI/CD processes are advised to update their software promptly to protect against these threats.
– Ransomware, particularly WinDestroyer, remains a significant concern, with new strains like DoNex, Evil Ant, Lighter, RA World, and WinDestroyer emerging despite law enforcement actions.
– The FBI’s Internet Crime Complaint Center reported 2,825 ransomware infections in 2023, causing adjusted losses of over $59.6 million, with 1,193 affecting critical infrastructure organizations.
– Notable ransomware variants impacting critical infrastructure in the U.S. include LockBit, BlackCat (aka ALPHV or Noberus), Akira, Royal, and Black Basta.
– Symantec’s report indicates that ransomware activity continues to increase despite a slight decrease in the number of reported attacks.
– NCC Group statistics show a 46% increase in ransomware cases from January to February 2024, led by LockBit, Hunters, BlackCat, Qilin, BianLian, Play, and 8Base.
– Recent law enforcement activity may change the ransomware landscape, leading to more highly active but harder to detect smaller RaaS operators.
– Threat actors are finding new ways to infect victims, exploit vulnerabilities, evade detection, and increasingly using legitimate software and living-off-the-land (LotL) techniques.
– Ransomware attackers are also using utilities like TrueSightKiller, GhostDriver, and Terminator, which leverage the Bring Your Own Vulnerable Driver (BYOVD) technique to disable security software.

If you have any further questions or need more details, feel free to ask.

Full Article