Ransomware Groups Exploiting Critical TeamCity RCE Flaw

October 2, 2023

Ransomware groups are exploiting a recently patched critical vulnerability in JetBrains' TeamCity continuous integration and deployment server. The flaw, known as CVE-2023-42793, allows attackers to gain remote code execution (RCE) capabilities without requiring user interaction. This vulnerability was discovered and reported by Swiss security firm Sonar, which published full technical details a week after JetBrains addressed the issue with the release of TeamCity 2023.05.4.

Sonar vulnerability researcher Stefan Schiller explained that this vulnerability allows attackers to steal source code, stored service secrets, and private keys. Furthermore, with access to the build process, attackers can inject malicious code, compromising the integrity of software releases and impacting all downstream users.

The Shadowserver Foundation, a nonprofit internet security organization, found 1240 unpatched TeamCity servers vulnerable to attacks. Shortly after Sonar made their findings public, multiple threat actors began exploiting this critical flaw, as reported by threat intelligence companies GreyNoise and PRODAFT.

PRODAFT reported that multiple ransomware operations have added the CVE-2023-42793 exploit to their arsenal and are using them to infiltrate vulnerable TeamCity servers. The warning from PRODAFT stated, 'Many popular ransomware groups started to weaponize CVE-2023-42793 and added the exploitation phase in their workflow. Our BLINDSPOT platform has detected multiple organizations already exploited by threat actors over the last three days. Unfortunately, most of them will have a huge headache in the upcoming weeks.'

GreyNoise observed attacks from at least 56 different IP addresses actively targeting JetBrains TeamCity servers in an attempt to infiltrate unpatched installations. GreyNoise also warned organizations that failed to patch their servers before September 29th that their systems are likely to have already been compromised.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.