Vast Post-Exploitation Opportunities from JetBrains Vulnerabilities

In response to the exploitation of vulnerabilities within the JetBrains TeamCity On-Premises platforms, CVE-2024-27198 and CVE-2024-27199, Trend Micro researchers have uncovered how these flaws enable attackers to bypass authentication, potentially gaining administrative control over affected servers. CVE-2024-27198 is particularly notorious, facilitating a range of malicious operations including the deployment of Jasmin ransomware, XMRig cryptocurrency mining, Cobalt Strike beacons, SparkRAT backdoors, and executing commands for internal reconnaissance and the creation of new user accounts. CVE-2024-27199, a directory traversal vulnerability, could result in information leaks and alterations to system settings. With public proof-of-concept exploits readily available, the need for organizations to promptly update their TeamCity servers is critical to prevent potential breaches and ensure the protection of their systems.

Post-exploitation activities observed following these vulnerabilities are particularly concerning due to their varied nature and impact. For instance, attackers have deployed Jasmin ransomware through a process involving the use of msiexec to download and execute malicious MSI files, leading to file encryption and ransom demands. Similarly, the XMRig cryptocurrency miner is installed via PowerShell commands, leveraging the compromised systems' resources for mining activities. Furthermore, the deployment of SparkRAT and Cobalt Strike beacons signifies a serious threat, as these tools provide attackers with extensive control over infected systems, enabling further malicious activities and data exfiltration. Lastly, the creation of new user accounts with elevated permissions through command-line utilities like net and net1 exemplifies the attackers' efforts to maintain persistence within the network.

These attack chains, utilizing tools such as Msiexec, PowerShell, and Certutil, showcase the capabilities of the threat actors exploiting these vulnerabilities. Monitoring for specific process executions related to the outlined post-exploitation techniques can help in identifying and mitigating attacks early. Organizations must prioritize the patching of CVE-2024-27198 and CVE-2024-27199 to protect against the diverse threats posed by their exploitation, ensuring the security of their TeamCity environments and preventing potential financial and operational impacts.