Ransomware Gangs Now Exploiting Critical TeamCity RCE Flaw

Cyber Security Threat Summary:
Ransomware gangs are now targeting a recently patched critical vulnerability in JetBrains' TeamCity continuous integration and deployment server. The flaw (tracked as CVE-2023-42793 and tagged with a 9.8/10 severity score) allows unauthenticated attackers to gain remote code execution (RCE) after successfully exploiting an authentication bypass weakness in low-complexity attacks that don't require user interaction. Swiss security firm Sonar (whose researchers discovered and reported the vulnerability) published full technical details one week after JetBrains addressed the critical security issue with the release of TeamCity 2023.05.4 on September 21st. JetBrains says the flaw impacts all TeamCity versions prior to the patched release but only On-Premises servers installed on Windows, Linux, and macOS, or that run in Docker. ‘This enables attackers not only to steal source code but also stored service secrets and private keys,’ Sonar vulnerability researcher Stefan Schiller explained. ‘And it's even worse: With access to the build process, attackers can inject malicious code, compromising the integrity of software releases and impacting all downstream users’” (Bleeping Computer, 2023).

Security Officer Comments:
Exploitation of CVE-2023-42793 was observed soon after Sonar researchers released a technical write-up of the flaw. According to threat intelligence company PRODAFT, its BLINDSPOT platform has detected several organizations exploited by ransomware actors in attacks. Furthermore, GreyNoise also noted that these exploitation attempts originated from at least 56 different IP addresses, meaning that many popular ransomware groups have added the exploit to their arsenal to target unpatched JetBrains TeamCity servers.

Suggested Correction(s):
Researchers at the Shadowserver Foundation have found 1240 unpatched TeamCity servers that are vulnerable to attacks. Most of these servers reside in Europe, followed by North America, and Asia. To prevent potential exploitation attacks, organizations running TeamCity servers should ensure that they update to the latest release TeamCity 2023.05.4 as soon as possible.