Safety consultants have warned that risk actors at the moment are exploiting a essential TeamCity vulnerability en masse, creating lots of of recent consumer accounts on compromised servers.
TeamCity is a well-liked CI/CD developer instrument from Czech outfit JetBrains. Rapid7 revealed exploit particulars of two new vulnerabilities within the product earlier this week.
These embrace CVE-2024-27198: an authentication bypass vulnerability within the internet element of TeamCity which has a CVSS base rating of 9.8. It may allow “full compromise of a weak TeamCity server by a distant unauthenticated attacker, together with unauthenticated distant code execution (RCE),” in line with Rapid7.
Cybersecurity agency LeakIX revealed in a put up on X (previously Twitter) yesterday that it discovered 1711 weak TeamCity cases in its final scan. Of those, 1442 (84%) confirmed “clear indicators of rogue consumer creation,” it added.
In a separate post, the agency revealed that it had noticed “lots of” of those consumer accounts being created by attackers “for later use throughout the web.”
⚠️⚠️⚠️ We’re seeing huge exploitation of TeamCity CVE-2024-27198.
Lots of of customers are created for later use throughout the Web. pic.twitter.com/VIRx13ZdMS
— LeakIX (@leak_ix) March 6, 2024
This might have a significant knock-on impact throughout the online, as TeamCity performs a key function for a lot of organizations in serving to builders create and deploy software program.
“Compromising a TeamCity server permits an attacker full management over all TeamCity tasks, builds, brokers and artifacts, and as such is an appropriate vector to place an attacker to carry out a provide chain assault,” Rapid7 warned on Monday.
Sysadmins have been urged by JetBrains and Rapid7 to improve their on-premises TeamCity servers directly to keep away from such an eventuality. Nevertheless, for a lot of it might be too late.
Learn extra on TeamCity vulnerabilities: Patched Crucial Flaw Uncovered JetBrains TeamCity Servers
“In case you have been/are nonetheless working a weak system, assume compromise,” LeakIX warned.
The JetBrains product has been the goal of Russian state actors previously.
In December final yr, a joint advisory from businesses within the US, UK and Poland warned that Cozy Bear (APT29) had “been focusing on servers internet hosting JetBrains TeamCity software program since September 2023.”