It was observed that the threat actors behind the BianLian ransomware exploited security vulnerabilities in JetBrains TeamCity software to conduct ransomware attacks.
GuidePoint Security has responded to the latest breach, which “began with the exploitation of TeamCity servers, resulting in the deployment of a PowerShell implementation of the BianLian Go backdoor,” according to a new report.
BianLian emerged in June 2022 and has been focusing on exfiltration-based ransomware since releasing its decryptor in January 2023.
The attack chain observed by the cybersecurity firm requires exploiting CVE-2024-27198 or CVE-2023-42793 to exploit a vulnerable TeamCity instance to gain initial access to the environment and then create new applications in the build server The attacker executes malicious commands to exploit and move laterally.
It is unclear which of these two flaws the threat actors used for exfiltration.
BianLian attackers are known to plant a customized backdoor for each victim written in Go and drop remote desktop tools such as AnyDesk, Atera, SplashTop and TeamViewer. The backdoor was tracked by Microsoft as BianDoor.
“After multiple failed attempts to execute the standard Go backdoor, the threat actor turned to making a living and leveraged PowerShell to implement the backdoor, which provides nearly the same functionality as the Go backdoor,” said security researchers Justin Timothy, Gabe Renfro, and Keven Murphy.
The obfuscated PowerShell backdoor (“web.ps1”) is designed to establish a TCP socket for additional network communication with an attacker-controlled server, allowing the remote attacker to execute arbitrary commands on the compromised host. operate.
“The identified backdoor is capable of interacting with [command-and-control] The server executes asynchronously based on the remote attacker’s post-exploitation goals,” the researchers said.
The disclosure comes as VulnCheck details a new proof-of-concept (PoC) vulnerability affecting Atlassian Confluence data centers and Confluence servers for a critical security vulnerability (CVE-2023-22527) that could lead to fileless remote execution. code and loads the Godzilla web shell directly into memory.
Over the past two months, this vulnerability has been weaponized to deploy C3RB3R ransomware, cryptocurrency miners, and remote access trojans, indicating that it is being widely exploited.
“There’s more than one way to get to Rome,” notes VulnCheck’s Jacob Baines. “While using freemarker.template.utility.Execute appears to be a popular way to exploit CVE-2023-22527, other more subtle paths produce different indicators.”
