Darktrace reported the rapid exploitation of CVE-2024-27198 in JetBrains TeamCity On-Premises, with attackers performing post-exploitation activities such as unauthorized access and cryptocurrency mining. CISA added CVE-2024-27198 to its Known Exploited Catalog, and Darktrace’s Cyber AI Analyst alerted affected customers, underscoring the need for swift detection and response to supply chain threats. Hashtags: #CVE-2024-27198 #CobaltStrike
Keypoints
- Rapid exploitation of CVE-2024-27198 in JetBrains TeamCity was observed within days of public disclosure, including proof-of-exploit activity.
- The vulnerability can enable attackers to take full control over TeamCity projects, creating a major supply-chain risk.
- Darktrace detected exploitation attempts two days after disclosure, including reconnaissance and validation steps against vulnerable servers.
- Post-exploitation activity encompassed suspicious downloads, C2 connectivity, and deployment of cryptocurrency mining software (e.g., XMRig).
- CISA added CVE-2024-27198 to its Known Exploited Catalog, confirming active use in ransomware campaigns.
- Darktrace’s Cyber AI Analyst autonomously linked events to a broader compromise and alerted affected customers, though autonomous containment was not configured.
- The case highlights the accelerating time-to-exploit for internet-facing systems and the value of AI-driven anomaly detection in stopping early-stage breaches.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Attackers exploit vulnerabilities in internet-facing applications to gain unauthorized access. ‘Using CVE-2024-27198, an attacker is able to successfully call an authenticated endpoint with no authentication, if they meet three requirements during an HTTP(S) request:’
- [T1059.001] PowerShell – Execution of malicious commands via PowerShell to facilitate further exploitation. ‘Execution of malicious commands via PowerShell to facilitate further exploitation.’
- [T1105] Ingress Tool Transfer – Transfer of tools or malware to the compromised system for further exploitation. ‘Transfer of tools or malware to the compromised system for further exploitation.’
- [T1588] Obtain Capabilities – Acquisition of capabilities, such as malware or exploits, to enhance attack effectiveness. ‘Acquisition of capabilities, such as malware or exploits, to enhance attack effectiveness.’
- [T1588.006] Vulnerabilities – Exploitation of known vulnerabilities to gain access or escalate privileges. ‘Exploitation of known vulnerabilities to gain access or escalate privileges.’
Indicators of Compromise
- [URI] Exploit validation and initial malicious activity – /hax?jsp=/app/rest/server;.jsp, /app/rest/debug/processes?exePath=/bin/sh¶ms=-c¶ms=echo+ReadyGO
- [SHA1] Malicious file hash – db6bd96b152314db3c430df41b83fcf2e5712281
- [URI] Crypto-mining/C2 artifact – /beacon.out
- [MSI] Malicious installer – 146.70.149[.]185:81/JavaAccessBridge-64.msi
- [IP] Malicious endpoints – 83.97.20[.]141:81 and 146.70.149[.]185:81