Rise in Ransomware, Cryptomining, and RAT Attacks Due to TeamCity Vulnerability

March 20, 2024

The recently discovered security vulnerabilities in JetBrains TeamCity software are being taken advantage of by several threat actors. They are using these flaws to deploy ransomware, cryptocurrency miners, Cobalt Strike beacons, and a remote access trojan (RAT) known as Spark RAT. The attacks involve the exploitation of CVE-2024-27198, a flaw that allows an attacker to bypass authentication and gain administrative control over affected servers.

Trend Micro, in their new report, stated, "The attackers are then able to install malware that can reach out to its command-and-control (C&C) server and perform additional commands such as deploying Cobalt Strike beacons and remote access trojans (RATs). Ransomware can then be installed as a final payload to encrypt files and demand ransom payments from victims."

Following the public disclosure of the flaw, threat actors associated with BianLian and Jasmin ransomware families have weaponized it. They have used it to drop the XMRig cryptocurrency miner and Spark RAT. Organizations that use TeamCity for their CI/CD processes are advised to update their software immediately to protect against these threats.

The increase in ransomware attacks comes as new strains like DoNex, Evil Ant, Lighter, RA World, and WinDestroyer are emerging in the wild. Despite law enforcement actions against them, notorious cybercrime groups like LockBit are still recruiting affiliates into their program. WinDestroyer is particularly noteworthy due to its ability to encrypt files and render targeted systems unusable without any means of data recovery. This suggests a possible geopolitical motivation behind the threat actors.

The U.S. Federal Bureau of Investigation's (FBI) Internet Crime Complaint Center (IC3) reported that in 2023, there were 2,825 reported ransomware infections, resulting in adjusted losses of over $59.6 million. Out of these, 1,193 were from organizations in a critical infrastructure sector. The top five ransomware variants impacting U.S. critical infrastructure include LockBit, BlackCat (aka ALPHV or Noberus), Akira, Royal, and Black Basta.

The ransomware landscape is seeing increased collaboration between different groups that share their malicious tools. These partnerships also appear as ghost groups, where one ransomware operation outsources its skills to another. This was observed in the case of Zeon, LockBit, and Akira. Despite a slight decrease in the number of attacks claimed by ransomware actors in the fourth quarter of 2023, ransomware activity continues to rise.

According to NCC Group, the total number of ransomware cases in February 2024 increased by 46% from January, from 285 to 416. The leading ransomware were LockBit (33%), Hunters (10%), BlackCat (9%), Qilin (9%), BianLian (8%), Play (7%), and 8Base (7%). The ransomware landscape may become more fragmented due to recent law enforcement activity, leading to smaller, more active RaaS operators that are harder to detect. The larger 'brand' ransomware, such as LockBit and Cl0p, draw attention, leading to new and small generic RaaS affiliate partnerships becoming the norm. This could make detection and attribution more difficult, and affiliates may easily switch providers due to low entry thresholds and minimal monetary involvement.

Threat actors are finding new ways to infect victims by mainly exploiting vulnerabilities in public-facing applications and evade detection. They are also refining their tactics by increasingly relying on legitimate software and living-off-the-land (LotL) techniques. Utilities like TrueSightKiller, GhostDriver, and Terminator, which leverage the Bring Your Own Vulnerable Driver (BYOVD) technique to disable security software, are popular among ransomware attackers. "BYOVD attacks are attractive to threat actors, as they can provide a means by which to disable AV and EDR solutions at the kernel level," said Sophos researchers Andreas Klopsch and Matt Wixey.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.