Multiple threat actors are exploiting the recently disclosed security flaws in JetBrains TeamCity software to deploy ransomware, cryptocurrency miners, Cobalt Strike beacons, and a Golang-based remote access trojan called Spark RAT.
The attacks entail the exploitation of CVE-2024-27198 (CVSS score: 9.8) that enables an adversary to bypass authentication measures and gain administrative control over affected servers.
βThe attackers are then able to install malware that can reach out to its command-and-control (C&C) server and perform additional commands such as deploying Cobalt Strike beacons and remote access trojans (RATs),β Trend Micro said in a new report.
βRansomware can then be installed as a final payload to encrypt files and demand ransom payments from victims.β
Following public disclosure of the flaw earlier this month, it has been weaponized by threat actors associated with BianLian and Jasmin ransomware families, as well as to drop the XMRig cryptocurrency miner and Spark RAT.
Organizations relying on TeamCity for their CI/CD processes are recommended to update their software as soon as possible to safeguard against potential threats.
The development comes as ransomware continues to be both formidable and profitable, with new strains like DoNex, Evil Ant, Lighter, RA World, and WinDestroyer emerging in the wild, even as notorious cybercrime crews like LockBit are still accepting affiliates into their program despite law enforcement actions against them.
WinDestroyer, in particular, stands out for its ability to encrypt files and render targeted systems unusable with no means to recover the data, raising the possibility that the threat actors behind it are geopolitically motivated.
βOne of the major issues when tackling ransomware crime is the nature of the affiliate program, with actors often working for multiple RaaS outfits at a time,β Cisco Talos said. βItβs going to take persistent, strategic efforts to significantly damage RaaS operations and weaken the regenerative power of these gangs.β
Data shared by the U.S. Federal Bureau of Investigationβs (FBI) Internet Crime Complaint Center (IC3) shows that 2,825 ransomware infections were reported in 2023, causing adjusted losses of more than $59.6 million. Of these, 1,193 came from organizations belonging to a critical infrastructure sector.
The top five ransomware variants impacting critical infrastructure in the U.S. include LockBit, BlackCat (aka ALPHV or Noberus), Akira, Royal, and Black Basta.
Besides offering a bigger chunk of the proceeds to court affiliates, the landscape is witnessing increased collaboration between different ransomware groups that share their malicious tooling with each other.
These partnerships also manifest in the form of ghost groups, in which one ransomware operation outsources its skills to another, as seen in the case of Zeon, LockBit, and Akira.
Broadcom-owned Symantec, in a report published last week, revealed that βransomware activity remains on an upward trend despite the number of attacks claimed by ransomware actors decreasing by slightly more than 20% in the fourth quarter of 2023.β
According to statistics published by NCC Group, the total number of ransomware cases in February 2024 increased by 46% from January, up from 285 to 416, led by LockBit (33%), Hunters (10%), BlackCat (9%), Qilin (9%), BianLian (8%), Play (7%), and 8Base (7%).
βRecent law enforcement activity has the potential to polarize the ransomware landscape, creating clusters of smaller RaaS operators that are highly active and harder to detect due to their agility in underground forums and markets,β Matt Hull, global head of threat intelligence at NCC Group, said.
βIt appears that the attention drawn by the larger βbrandβ ransomware, such as LockBit and Cl0p, is leading to new and small generic RaaS affiliate partnerships becoming the norm. As a result, detection and attribution could become harder, and affiliates may easily switch providers due to low entry thresholds and minimal monetary involvement.β
Indeed, smaller RaaS upstarts like Cloak, Medusa, and RansomHub are capitalizing on the high-profile law enforcement takedowns to fill the vacuum and recruit affiliates through advertisements on dark web forums such as UFO Labs and RAMP.
βRansomware groups, including RaaS groups, most frequently rebrand or splinter as a means of continuing operations in the wake of law enforcement scrutiny,β GuidePoint Security said. βAffiliates, by comparison, face a marketplace of competing RaaS groups with a limited talent pool of affiliates from which to draw.β
βRecent increases in advertisements for affiliates may indicate continued limitations in available human resources, growing distrust in particular RaaS groups or the RaaS operating model, or impacted groups that do not intend to continue operations.β
This has also been complemented by threat actors finding novel ways to infect victims by mainly exploiting vulnerabilities in public-facing applications and evade detection, as well as refining their tactics by increasingly banking on legitimate software and living-off-the-land (LotL) techniques.
Also popular among ransomware attackers are utilities like TrueSightKiller, GhostDriver, and Terminator, which leverage the Bring Your Own Vulnerable Driver (BYOVD) technique to disable security software.
βBYOVD attacks are attractive to threat actors, as they can provide a means by which to disable AV and EDR solutions at the kernel level,β Sophos researchers Andreas Klopsch and Matt Wixey said in a report this month. βThe sheer amount of known vulnerable drivers means that attackers have a wealth of options to choose from.β
Other defense evasion software used by LockBit, Mimic, Phobos Royal, and Ryuk to disable security security products comprise Defender Control, Process Hacker, and GMER.
βBecause these tools are those that can be used by ordinary users for legitimate purposes, there are limits to detecting and blocking these with just anti-malware products,β the AhnLab Security Intelligence Center (ASEC) said.
Found this article interesting? Follow us on Twitter ο and LinkedIn to read more exclusive content we post.