The cyberthreats to users of JetBrains’ TeamCity CI/CD platform continue to mount a week after the company issued two fixes to security vulnerabilities, with one cybersecurity vendor noting a ransomware attack that included exploiting the flaws for initial access and a search engine reporting that 1,442 vulnerable instances showed signs of exploitation.

Those reports followed others that indicated that bad actors began targeting the vulnerabilities a day after the fixes were released March 4 as well as a feud over disclosure policies between JetBrains and researchers at cybersecurity firm Rapid7 who first detected the bugs last month.

It adds up to a messy week for JetBrains and TeamCity users, a continuous integration and continuous development (CI/CD) platform that’s been around since 2006 and is pitched as software platform used to create a flexible development and collaboration environment.

In February, Rapid7 researchers notified JetBrains of the two flaws, CVE-2024-27198 – carries a CVSS severity score of 9.8 of 10 – and CVE-2024-27199 (7.3 severity score), both of which are authentication bypass vulnerabilities. Attackers could leverage the first flaw to take control of compromised instances and the second to gather information and modify a system.

Threat groups could use both to take control of software development and launch software supply-chain attacks.

The Exploitation Begins

The attacks on TeamCity began almost immediately, with Brody Nisbet, director of threat hunting for cybersecurity firm CrowdStrike, noted in an X (formerly Twitter) post the day after the fixes were released that there already were “multiple cases” of the vulnerabilities being exploited to enable bad actors to deploy a possibly modified variant of the Jasmin ransomware. Jasmin is an open source tool used by red teams to simulate real ransomware attacks, but it’s also been modified by threat groups to develop variants they can use for their own malicious activities.

Two days after JetBrains rolled out the fixes, TeamIX – a search engine that scans for data regarding breaches and vulnerabilities, collects the information, and then makes it public – found that there were 1,711 vulnerable TeamCity instances and that 1,442 of them “show clear signs of rogue user creation.”

The message from the operators of the site was that those still running vulnerable instances should assume that they’ve been compromised.

The operators of another internet monitoring site, ShadowServer, also noted on X March 5 that they were beginning to see exploitation attempts targeting the TeamCity vulnerabilities, and two days reported that there were 1,182 instances that were possibly still vulnerable, with most in the United States and Germany.

BianLain Extortion Group Jumps In

Most recently, researchers with cybersecurity vendor GuidePoint Security that the operators behind the BianLian ransomware were exploiting the TeamCity vulnerabilities, initially trying to execute their backdoor malware written in the Go programming language. After failed attempts, the group turned to living-of-the-land methods, using a PowerShell implementation of the backdoor, which provided them with almost identical functionality, the researchers wrote in a report.

They detected the attack during an investigation of malicious activity within a customer’s network. It was unclear which of the two vulnerabilities the BianLian attackers exploited, they wrote.

After leveraging a vulnerable TeamCity instance to gain initial access, the bad actors were able to create new users in the build server and executed malicious commands that enabled them to move laterally through the network and run post-exploitation activities. In addition, they were able to create a new account on one of the build server and add the new account to users groups.

“The threat actor was detected in the environment after attempting to conduct a Security Accounts Manager (SAM) credential dumping technique, which alerted the victim’s VSOC, GuidePoint’s DFIR team, and GuidePoint’s Threat Intelligence Team (GRIT) and initiated the in-depth review of this PowerShell backdoor,” the researchers wrote.

BianLian has been around since at least 2022, targeting critical infrastructure organizations in the United States and elsewhere, according to a CISA report last year. Initially the group ran double-extortion campaigns, which entails both encrypting files and also stealing data, threatening to publicly release them to add pressure on victims to pay the ransom.

According to GuidePoint, cybersecurity vendor Avast in January 2023 released a decryptor for BianLian ransomware, allowing organizations to decrypt their data and regain their control of it. Since then, the BianLian operators have shift to extortion-only attacks.

JetBrains vs. Rapid7

A backdrop to all this was the back-and-forth between JetBrains and Rapid7 about the disclosure of the flaws. Stephen Fewer, principal security researcher at Rapid7, uncovered the flaws and, according to a timeline from the cybersecurity firm, Rapid7 on February 15 emailed JetBrains about the vulnerabilities and did so again four days later, when JetBrains acknowledges Rapid7’s efforts. On February 20, Rapid7 gives JetBrains a technical analysis of the bugs and JetBrains said they were able to reproduce the issues.

Rapid7 the next day recommended JetBrains release the patches privately, before publicly disclosing the vulnerabilities and stressed the need for a coordinated disclosure rather than “silently patching” the vulnerabilities. After more emails between the two companies, JetBrains disclosed the patches March 4 without coordinating with Rapid7.

Rapid7 said its policy is to disclose vulnerability details 24 hours after learning that an update was made generally available.

However, in its own blog post, JetBrains said – per its own policy – that the plan was to release the fixes and a workaround and communicate with customers about the vulnerabilities through emails. Days later, the company would publish the CVE information and a blog post about the flaws. Once a “significant number of customers have upgraded,” they would publish the vulnerabilities’ technical details.

The company decided against a coordinated release with Rapid7 once it was determined that the disclosure policies wouldn’t mesh and that the security firm would release technical details before JetBrains typically does.

JetBrains put the onus on Rapid7, writing that it recommended that Rapid7 follow its disclosure policy.

“This suggestion was rejected by the Rapid7 team who published full details of the vulnerabilities (and how to exploit them) a few hours after we had released a fix to TeamCity customers,” the company wrote.