BianLian ransomware group exploits bugs in TeamCity software

The notorious BianLian ransomware group has exploited vulnerabilities within JetBrains TeamCity software, showcasing the latest addition to its evolving tactics.

Based on reports, the attackers gained their initial intrusion by exploiting flaws in a TeamCity server. This tactic allowed the threat actors to breach the target system and start their malicious agenda.

Researchers uncovered this ransomware group back in August 2022. Since then, it has infected various sectors, including manufacturing, media and entertainment, and healthcare. Its modus operandi focuses on encrypting victim files and demanding ransom payments for their release.

However, a cybersecurity company provided a free decryptor in January last year for the ransomware operation, providing a solution to victims facing the aftermath of a BianLian attack.

 

The BianLian ransomware group exploited two TeamCity software vulnerabilities.

 

BianLian exploited CVE-2024-27198 and CVE-2023-42793 in the TeamCity software. By leveraging these flaws, they executed their initial breach, generating new user accounts and running malicious commands to deepen their intrusion into the victim’s network.

After establishing persistence, the threat actors identified and targeted two build servers within the compromised environment, using them as vectors for further exploitation and lateral movement.

Despite encountering setbacks in completing their custom GO backdoor, the attackers swiftly adapted, using a PowerShell implementation to sustain their operation.

Furthermore, they hid their activities using specific parameters within the ‘cookies’ function. Notably, a hexadecimal value passed through ‘Cookies_Param1’ produced an IP address, 136.0.3.71, associated with a server storing the BianLian GO backdoor as of March 6th, 2024.

Researchers have also flagged multiple detections of the Microsoft AV signature Win64/BianDoor.D just before the PowerShell backdoor’s successful deployment.

The findings of this investigation highlight broader trends charted in cybersecurity reports. A similar report also detailed the efficiency and quickness demonstrated by groups like BianLian in exploiting emerging vulnerabilities, reaffirming the necessity for vigilance and proactive defence strategies.

Organisations should also adopt the most potent cybersecurity defences available to keep up with these emerging threats. TeamCity should address these vulnerabilities to avoid future exploitations and protect their users’ infrastructure.