Rewterz Threat Alert – JetBrains TeamCity Vulnerabilities Exploited in BianLian Ransomware Attacks – Active IOCs

Severity

High

Analysis Summary

The BianLian ransomware gang has been observed abusing vulnerabilities on JetBrains TeamCity software to carry out their extortion-based ransomware attacks. The security incident initiated the exploitation of a TeamCity server that ended up in the propagation of a PowerShell implementation of BianLian’s Go-based backdoor malware.

BianLian was first uncovered in June 2022 and since then it has been exclusively conducting extortion-based attacks after a decryptor was released in January 2023. The attack chain that was seen by cybersecurity researchers exploits a vulnerable TeamCity instance by using CVE-2023-42793 or CVE-2024-27198 to gain initial access to the environment. It is followed by making new users in the server and then executing commands for lateral movement and post-exploitation. It is unclear right now which of these two vulnerabilities was used by the threat actors to infiltrate the system.

The operators of BianLian are infamous for implanting a custom backdoor, tracked as BianDoor, which is made specifically for each victim and is written in the Go language. The actors also drop remote desktop tools such as Atera, AnyDesk, TeamViewer, and SplashTop. The group had many failed attempts to deploy their standard Go backdoor, after which the threat actor started relying on living-off-the-land techniques and used a PowerShell implementation of their backdoor, capable of providing similar functionality as their standard Go backdoor.

The PowerShell backdoor is obfuscated and can establish a TCP socket to provide additional network communication to a command-and-control (C2) server controlled by the actor to allow remote execution of several arbitrary actions on the compromised system. The disclosure comes as detailed proof-of-concept (PoC) exploits for a critical vulnerability that impacts Atlassian Confluence Data Center and Confluence Server (tracked as CVE-2023-22527) was released to the public that could result in remote code execution in a fileless way to directly load the Godzilla web shell into memory.

The security flaw has been weaponized by C3RB3R ransomware actors, as well as to deploy remote access trojans and cryptocurrency miners in the last two months, which indicated widespread exploitation in the wild. It is highly recommended to update systems with the latest patches to minimize the risks posed by threat actors exploiting known vulnerabilities.

Impact

• Code Execution
• Security Bypass
• Sensitive Data Theft
• Financial Loss

Indicators of Compromise

URL

• http://136.0.3.71:8001/win64.exe
• http://136.0.3.71:8001/64.dll

Affected Vendors

JetBrains

Affected Products

• JetBrains TeamCity 2023.11.4
• JetBrains TeamCity 2023.04
• JetBrains TeamCity 2023.03
• JetBrains TeamCity 2023.02
• JetBrains TeamCity 2023.01

Remediation

• Refer to the JetBrains Website for patch, upgrade, or suggested workaround information.
• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Enforce strong password policies and consider implementing multi-factor authentication (MFA) to enhance access security. 
• Deploy reputable and up-to-date endpoint protection solutions that include anti-malware, intrusion detection/prevention systems, and behavior-based detection mechanisms. 
• Identify and address any vulnerabilities or weaknesses in the systems that were exploited during the breach. Apply security patches and updates to ensure the systems are up-to-date.
• Implement a robust backup strategy that includes regular and automated backups of critical data. Ensure that backups are stored securely offline or in an isolated environment to prevent ransomware from encrypting backup files.
• Implement strong encryption measures for sensitive data to protect it from unauthorized access. Employ data segmentation techniques to isolate critical systems and data from less secure areas.
• Establish ongoing monitoring processes and conduct periodic security assessments to identify and address any evolving threats or vulnerabilities. Continuously improve security measures based on lessons learned from the incident.