BianLian Threat Actors Exploiting JetBrains TeamCity Flaws in Ransomware Attacks

The BianLian ransomware operators are leveraging vulnerabiities within JetBrains TeamCIty software to orchestrate their attacks, as reported by GuidePoint Security. The incursion typically commences with the exploitation of a vulnerable TeamCity server, resulting in the deployment of a PowerShell iteration of the BianLian ransomware. To achieve initial access, threat actors exploit known vulnerabilities such as CVE-2024-27198 or CVE-2023-42793. Once access is obtained, the attackers proceed by creating new user accounts within the compromised build server, facilitating further malicious actions such as lateral movement and post exploitation activities.

Security Officer Comments:
Notably, BianLian perpetrators tailor a unique backdoor for each victim, typically crafted in the Go programming language. Additionally, they deploy various remote desktop tools like AnyDesk, Atera, SplashTop, and TeamViewer to maintain persistence and facilitate access. In a recent development, security firm VulnCheck disclosed proof-of-concept exploits for a severe vulnerability affecting Atlassian Confluence, denoted as CVE-2023-22527. Exploitation of this flaw has led to the deployment of C3RB3R ransomware, cryptocurrency miners, and remote access trojans over the preceding months, signifying a significant threat landscape.

Suggested Corrections:
BianLian continues to prove how they can adapt to a changing environment, especially in regards to the exploitation of emerging vulnerabilities. Researchers at Guidepoint’s Security’s biggest recommendations focus on preparedness and, more specifically, patching your externally facing applications. Similarly, practicing your incident response plans, moving forward with threat intelligence-informed pentests, and focusing on finding ways to leverage threat intelligence to keep up with current trends in the threat landscape will aid your teams in becoming more effective and efficient at preventing these types of attacks from occurring. A well-informed preventative and preparedness mentality coupled with an extremely effective response capability will ensure that you are ready for anything that BianLian, or any other threat actor, has to throw at you.

Additionally, Guidepoint has published indicators of compromise that can be used to detect and defend against the BianLian ransomware:

The two vulnerabilities leveraged by BianLian to gain initial access can be mitigated with the following options below:

CVE-2024-27198 Team City Suggested Corrections Options:

  • Update your server To update your server, download the latest version (2023.11.4) or use the automatic update option within TeamCity. This version includes patches for the vulnerabilities described above.
  • Apply the security patch plugin If you are unable to update your server to version 2023.11.4, we have also released a security patch plugin so that you can still patch your environment. The security patch plugin can be downloaded using one of the links below and installed on all TeamCity versions through 2023.11.3. It will patch the vulnerabilities described above.

CVE-2023-42793 Suggested Corrections:

  • CVE-2023-42793 can be fixed by updating to the latest version of the JetBrains TeamCity software, as the vulnerability has been resolved in version 2023.05.4.