Priya PatelTLDR:
Security researchers have identified active exploit attempts targeting JetBrains’ TeamCity software with ransomware. More than 1,000 servers remain unpatched and vulnerable to these attacks. The vulnerabilities, one critical and one high-severity, are being exploited in the wild, leading to concerns about software supply chain attacks. The uncoordinated disclosure of the vulnerabilities between JetBrains and Rapid7 has caused confusion within the cybersecurity community.
JetBrains TeamCity under attack by ransomware thugs
Security researchers have reported that JetBrains’ TeamCity software is currently under attack by ransomware thugs. More than 1,000 servers running unpatched versions of TeamCity are vulnerable to these attacks. The vulnerabilities being exploited are one critical and one high-severity, making software supply chain attacks a significant concern.
Ransomware attackers are taking advantage of these vulnerabilities to deploy ransomware, including a suspected modified version of Jasmin ransomware. Previous variants of this ransomware tool have been used for malicious purposes, locking victims out of their files and demanding unconventional ransom payments.
Exploitation of these vulnerabilities is widespread, with attackers breaking into CI/CD servers and creating hundreds of accounts for future malicious activities. The usernames being registered post-exploit are random alphanumeric characters, serving as an indicator of compromise if spotted in a TeamCity instance.
JetBrains’ handling of the disclosure of these vulnerabilities has caused some controversy within the cybersecurity community. The company wanted to provide its customers with time to apply patches before disclosing the full details of the vulnerabilities, while Rapid7’s policy is to publish vulnerabilities in full when patches are released. This differing approach to disclosure has led to confusion and debate among security experts.
For organizations using on-prem versions of TeamCity prior to 2023.11.4, applying the patches immediately is recommended to protect against potential attacks. The ongoing exploitation of these vulnerabilities highlights the importance of timely patching and coordinated disclosure within the cybersecurity community.
