Priya PatelTLDR:
- Adversaries have begun targeting vulnerabilities in JetBrains TeamCity CI/CD platform just days after disclosure.
- The vulnerabilities, CVE-2024-27198 and CVE-2024-27199, allow attackers to take complete control of affected instances.
Attacks targeting two security vulnerabilities in the TeamCity CI/CD platform have begun in earnest just days after its developer, JetBrains, disclosed the flaws on March 3. The vulnerabilities include an authentication bypass issue (CVE-2024-27198) with a near-maximum severity CVSS rating of 9.8, and a moderate-severity authentication bypass flaw (CVE-2024-27199) in the same TeamCity Web component. These vulnerabilities allow for unauthorized code execution and system modification, making affected instances vulnerable to complete takeover by threat actors.
TeamCity, used by around 30,000 organizations, has become a valuable target for attackers looking to exploit software build, testing, and deployment processes. Attackers are leveraging these vulnerabilities to create rogue admin accounts on vulnerable instances, distribute ransomware, launch supply chain attacks, and enable lateral movement at scale. These attacks can lead to the compromise of an organization’s software projects, build agents, and artifacts, as well as provide attackers with the ability to run arbitrary commands on the underlying operating system.
Organizations are advised to patch their TeamCity instances immediately and monitor for any signs of compromise. Threat intelligence reports have observed exploitation activity for the disclosed vulnerabilities, with threat actors deploying ransomware and creating rogue user accounts on exposed instances.
The ongoing mass exploitation of JetBrains TeamCity vulnerabilities highlights the critical need for organizations to prioritize cybersecurity measures to protect their CI/CD environments and prevent unauthorized access and control by malicious actors.
