March 20, 2024 at 03:06AM
Critical vulnerabilities (CVE-2024-27198 and CVE-2024-27199) in TeamCity On-Premises platform allow attackers to gain administrative control. Exploitation includes deploying Jasmin ransomware, XMRig cryptocurrency miner, Cobalt Strike beacons, SparkRAT backdoor, and executing domain discovery and persistence commands. Organizations must promptly update affected systems to prevent widespread exploitation.
Based on the meeting notes, it is evident that the TeamCity On-Premises platform is facing critical vulnerabilities with potential consequences such as the deployment of ransomware, cryptocurrency mining malware, backdoors, and various malicious activities. The exploitation of CVE-2024-27198 and CVE-2024-27199 can lead to attackers gaining administrative control, bypassing authentication measures, and executing follow-on commands.
Furthermore, public proof-of-concept exploits for these vulnerabilities exist, highlighting the urgency for organizations to address these security concerns promptly. It is also important to note that the US Cybersecurity and Infrastructure Security Agency (CISA) has included CVE-2024-27198 in its Known Exploited Vulnerabilities catalog, underscoring the severity of the situation.
The meeting notes provide detailed insights into the post-exploitation payloads, including the deployment of Jasmin ransomware, XMRig cryptocurrency miner, SparkRAT backdoor, domain discovery, and persistence commands, as well as the deployment of Cobalt Strike beacons.
The document also outlines Trend Micro’s solutions to detect and shield against the exploitation of these vulnerabilities, including network security measures, detection rules, queries, and the MITRE ATT&CK matrix.
Overall, these meeting notes indicate the critical need for organizations utilizing TeamCity On-Premises to promptly address the vulnerabilities and take necessary actions to mitigate the potential risks associated with these exploits.