Lucene search

K
thnThe Hacker NewsTHN:F97848537347918F2AAE63953473BEA2
HistoryMar 11, 2024 - 9:53 a.m.

BianLian Threat Actors Exploiting JetBrains TeamCity Flaws in Ransomware Attacks

2024-03-1109:53:00
The Hacker News
thehackernews.com
55
bianlian
threat actors
jetbrains
teamcity
flaws
ransomware
attacks
guidepoint security
powershell
backdoor
cyber security
cve-2024-27198
cve-2023-42793
exploit
vulnerabilities
infiltration
backdoor
go
anydesk
atera
splashtop
teamviewer
biandoor
palo alto networks
unit 42
obfuscated
tcp socket
command-and-control
vulncheck
atlassian confluence
cve-2023-22527

AI Score

10

Confidence

High

EPSS

0.972

Percentile

99.9%

Ransomware

The threat actors behind the BianLian ransomware have been observed exploiting security flaws in JetBrains TeamCity software to conduct their extortion-only attacks.

According to a new report from GuidePoint Security, which responded to a recent intrusion, the incident “began with the exploitation of a TeamCity server which resulted in the deployment of a PowerShell implementation of BianLian’s Go backdoor.”

BianLian emerged in June 2022, and has since pivoted exclusively to exfiltration-based extortion following the release of a decryptor in January 2023.

Cybersecurity

The attack chain observed by the cybersecurity firm entails the exploitation of a vulnerable TeamCity instance using CVE-2024-27198 or CVE-2023-42793 to gain initial access to the environment, followed by creating new users in the build server and executing malicious commands for post-exploitation and lateral movement.

It’s currently not clear which of the two flaws were weaponized by the threat actor for infiltration.

BianLian actors are known to implant a custom backdoor tailored to each victim written in Go, as well as drop remote desktop tools like AnyDesk, Atera, SplashTop, and TeamViewer. The backdoor is tracked by Microsoft as BianDoor.

“BianLian’s backdoor, similar to the encryptor, is written in Go. Its core functionality is more of a loader than a classic backdoor, with its main functionality being downloading and executing additional payloads,” Palo Alto Networks Unit 42 noted in January 2024. “The backdoor contains a hard-coded C2 IP address and port to communicate with.”

“After multiple failed attempts to execute their standard Go backdoor, the threat actor pivoted to living-off-the-land and leveraged a PowerShell implementation of their backdoor, which provides an almost identical functionality to what they would have with their Go backdoor,” security researchers Justin Timothy, Gabe Renfro, and Keven Murphy said.

The obfuscated PowerShell backdoor (“web.ps1”) is designed to establish a TCP socket for additional network communication to an actor-controlled server, allowing the remote attackers to conduct arbitrary actions on an infected host.

“The now-confirmed backdoor is able to communicate with the [command-and-control] server and asynchronously execute based on the remote attacker’s post-exploitation objectives,” the researchers said.

The disclosure comes as VulnCheck detailed fresh proof-of-concept (PoC) exploits for a critical security flaw impacting Atlassian Confluence Data Center and Confluence Server (CVE-2023-22527) that could lead to remote code execution in a fileless manner and load the Godzilla web shell directly into memory.

Cybersecurity

The flaw has since been weaponized to deploy C3RB3R ransomware, cryptocurrency miners and remote access trojans over the past two months, indicating widespread exploitation in the wild.

“There’s more than one way to reach Rome,” VulnCheck’s Jacob Baines noted. “While using freemarker.template.utility.Execute appears to be the popular way of exploiting CVE-2023-22527, other more stealthy paths generate different indicators.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.