Q2 2024 Threat Landscape Report: Threat Actors Do Their Homework, Ransomware and Cloud Risks Accelerate
by Keith Wojcieszek, Laurie Iacono, George Glass
Mon, Mar 11, 2024
Note: These vulnerabilities remain under active exploitation, and Kroll experts are investigating. If further details are uncovered by our team, updates will be made to the Kroll Cyber Risk blog.
Two critical vulnerabilities have been discovered and patched in TeamCity, a build management and continuous integration server from JetBrains. These vulnerabilities are being tracked as CVE-2024-27198 and CVE-2024-27199 and impact all TeamCity On-Premises versions through 2023.11.3. They are reportedly being actively exploited as of March 6, 2024, with a fix is available in version 2023.11.4, which was released Monday, March 4. If exploited, the flaws may enable an unauthenticated attacker with access to a TeamCity server to bypass authentication and gain administrative control.
CVE-2024-27198 is an authentication bypass vulnerability found in JetBrains TeamCity versions before 2023.11.4. This vulnerability has a CVSS score of 9.8 – CRITICAL with exploitability of 3.9 and impact of 5.9 and could allow an attacker to gain administrative privileges.
CVE-2024-27199 is a vulnerability discovered in JetBrains TeamCity versions before 2023.11.4. This vulnerability has a CVSS score of 7.3 - HIGH with exploitability of 3.9 and impact of 3.4. This is a path traversal vulnerability that could allow an attacker to perform limited admin actions. This could enable an attacker to replace a certificate on the server and perform a denial of service.
Exploitation of these vulnerabilities poses significant risk for code bases, CI/CD pipelines and any credentials stored on the TeamCity server. Exploitation could also lead to direct impact on codebases stored on TeamCity servers and may present supply chain risk.
Exploitation of these flaws has been detected in the wild, likely fueled by a technical writeup released March 4, less than 24 hours after patches were made available. The article included proof of concept code and a new METASPLOIT module for the vulnerabilities.
LeakIX , an internet-scanning and vulnerability-tracking firm, reports that instances of TeamCity are being attacked to create hundreds of random users, which will likely be used later by the attackers to return to the impacted server, allowing threat actors access after a patch has been applied.
Below are some key recommendations from Kroll’s cyber threat intelligence (CTI) team:
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Threat intelligence are fueled by frontline incident response intel and elite analysts to effectively hunt and respond to threats.
Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.
World-renowned cyber investigators and leading technology fuel Kroll’s managed security services, augmenting security operations centres and incident response capabilities.
Proactively safeguard your organization’s digital assets and accelerate visibility of online threats.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
by Keith Wojcieszek, Laurie Iacono, George Glass
by George Glass, Laurie Iacono, Keith Wojcieszek
by George Glass, Keith Wojcieszek, Laurie Iacono
by George Glass, Laurie Iacono, Keith Wojcieszek