Hundreds of Rogue Users Added to Unpatched TeamCity Servers

Security experts have warned that threat actors are now exploiting a critical TeamCity vulnerability en masse, creating hundreds of new user accounts on compromised servers.

TeamCity is a popular CI/CD developer tool from Czech outfit JetBrains. Rapid7 published exploit details of two new vulnerabilities in the product earlier this week.

These include CVE-2024-27198: an authentication bypass vulnerability in the web component of TeamCity which has a CVSS base score of 9.8. It could enable “complete compromise of a vulnerable TeamCity server by a remote unauthenticated attacker, including unauthenticated remote code execution (RCE),” according to Rapid7.

Cybersecurity firm LeakIX revealed in a post on X (formerly Twitter) yesterday that it found 1711 vulnerable TeamCity instances in its last scan. Of these, 1442 (84%) showed “clear signs of rogue user creation,” it added.

In a separate post, the firm revealed that it had observed “hundreds” of these user accounts being created by attackers “for later use across the internet.”

This could have a major knock-on effect across the web, as TeamCity plays a key role for many organizations in helping developers create and deploy software.

“Compromising a TeamCity server allows an attacker full control over all TeamCity projects, builds, agents and artifacts, and as such is a suitable vector to position an attacker to perform a supply chain attack,” Rapid7 warned on Monday.

Sysadmins have been urged by JetBrains and Rapid7 to upgrade their on-premises TeamCity servers without delay to avoid such an eventuality. However, for many it may be too late.

Read more on TeamCity vulnerabilities: Patched Critical Flaw Exposed JetBrains TeamCity Servers

“If you were/are still running a vulnerable system, assume compromise,” LeakIX warned.

The JetBrains product has been the target of Russian state actors in the past.

In December last year, a joint advisory from agencies in the US, UK and Poland warned that Cozy Bear (APT29) had “been targeting servers hosting JetBrains TeamCity software since September 2023.”

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button