Hundreds of Rogue Users Added to Unpatched TeamCity Servers
Security experts have warned that threat actors are now exploiting a critical TeamCity vulnerability en masse, creating hundreds of new user accounts on compromised servers.
TeamCity is a popular CI/CD developer tool from Czech outfit JetBrains. Rapid7 published exploit details of two new vulnerabilities in the product earlier this week.
These include CVE-2024-27198: an authentication bypass vulnerability in the web component of TeamCity which has a CVSS base score of 9.8. It could enable “complete compromise of a vulnerable TeamCity server by a remote unauthenticated attacker, including unauthenticated remote code execution (RCE),” according to Rapid7.
Cybersecurity firm LeakIX revealed in a post on X (formerly Twitter) yesterday that it found 1711 vulnerable TeamCity instances in its last scan. Of these, 1442 (84%) showed “clear signs of rogue user creation,” it added.
In a separate post, the firm revealed that it had observed “hundreds” of these user accounts being created by attackers “for later use across the internet.”
⚠️⚠️⚠️ We are seeing massive exploitation of TeamCity CVE-2024-27198.
Hundreds of users are created for later use across the Internet. pic.twitter.com/VIRx13ZdMS
— LeakIX (@leak_ix) March 6, 2024
This could have a major knock-on effect across the web, as TeamCity plays a key role for many organizations in helping developers create and deploy software.
“Compromising a TeamCity server allows an attacker full control over all TeamCity projects, builds, agents and artifacts, and as such is a suitable vector to position an attacker to perform a supply chain attack,” Rapid7 warned on Monday.
Sysadmins have been urged by JetBrains and Rapid7 to upgrade their on-premises TeamCity servers without delay to avoid such an eventuality. However, for many it may be too late.
Read more on TeamCity vulnerabilities: Patched Critical Flaw Exposed JetBrains TeamCity Servers
“If you were/are still running a vulnerable system, assume compromise,” LeakIX warned.
The JetBrains product has been the target of Russian state actors in the past.
In December last year, a joint advisory from agencies in the US, UK and Poland warned that Cozy Bear (APT29) had “been targeting servers hosting JetBrains TeamCity software since September 2023.”
