Hundreds of Rogue Users Added to Unpatched TeamCity Servers

Cybersecurity

Security experts have warned that threat actors are now exploiting a critical TeamCity vulnerability en masse, creating hundreds of new user accounts on compromised servers.

TeamCity is a popular CI/CD developer tool from Czech outfit JetBrains. Rapid7 published exploit details of two new vulnerabilities in the product earlier this week.

These include CVE-2024-27198: an authentication bypass vulnerability in the web component of TeamCity which has a CVSS base score of 9.8. It could enable “complete compromise of a vulnerable TeamCity server by a remote unauthenticated attacker, including unauthenticated remote code execution (RCE),” according to Rapid7.

Cybersecurity firm LeakIX revealed in a post on X (formerly Twitter) yesterday that it found 1711 vulnerable TeamCity instances in its last scan. Of these, 1442 (84%) showed “clear signs of rogue user creation,” it added.

In a separate post, the firm revealed that it had observed “hundreds” of these user accounts being created by attackers “for later use across the internet.”

Related Posts

Only 5% of Boards Have Cybersecurity Expertise

What are the Essential Skills for Cyber Security…

Portugal Forces Worldcoin to Stop Collecting Biometric Data

This could have a major knock-on effect across the web, as TeamCity plays a key role for many organizations in helping developers create and deploy software.

“Compromising a TeamCity server allows an attacker full control over all TeamCity projects, builds, agents and artifacts, and as such is a suitable vector to position an attacker to perform a supply chain attack,” Rapid7 warned on Monday.

Sysadmins have been urged by JetBrains and Rapid7 to upgrade their on-premises TeamCity servers without delay to avoid such an eventuality. However, for many it may be too late.

Read more on TeamCity vulnerabilities: Patched Critical Flaw Exposed JetBrains TeamCity Servers

“If you were/are still running a vulnerable system, assume compromise,” LeakIX warned.

The JetBrains product has been the target of Russian state actors in the past.

In December last year, a joint advisory from agencies in the US, UK and Poland warned that Cozy Bear (APT29) had “been targeting servers hosting JetBrains TeamCity software since September 2023.”


Credit: Source link

TVC Editorial Team 42892 posts

TVC is an online news portal that aims to provide the latest tech news, AI, fintech, robotics, cybersecurity, startups, venture capital, and much more!

You might also like More from author

Comments are closed.