The cybercriminals who are behind the BianLian ransomware have been observed exploiting security flaws in the JetBrains TeamCity software to conduct their attacks based solely on extortion.
What are the problems that BianLian could cause
According to a new relationship from GuidePoint Security, which responded to a recent intrusionthe accident “started with the exploitation of a TeamCity server which led to the deployment of a PowerShell version of BianLian's Go backdoor.”
BianLian is emerged in June 2022 and has since engaged exclusively in exfiltration-based extortion following the release of a decryptor in January 2023.
The attack chain observed by the cybersecurity firm involves exploiting a vulnerable instance of TeamCity using CVE-2024-27198 or CVE-2023-42793 to gain initial access to the environment, followed by creating new users in the build server and executing malicious commands for post-browsing and lateral movement.
It is currently unclear which of the two flaws was exploited by the cybercriminal (or cybercriminals) to infiltrate the aforementioned ransomware.
The cybercriminals behind the BianLian ransomware they are known to implant a custom backdoor tailored to each victim written in Go programming language, as well as releasing remote desktop tools such as AnyDesk, Atera, SplashTop, and TeamViewer; this backdoor was tracked by Microsoft under the name of WhiteDoor.
“After several failed attempts to run their standard Go backdoor, the cybercriminalmoved to live from the ground and exploited a PowerShell version of their backdoorwhich provides almost identical functionality to what they would have had with their Go backdoor“said security researchers Justin Timothy, Gabe Renfro and Keven Murphy.
The obfuscated PowerShell backdoor (“web.ps1”) is designed to establish a TCP socket for additional network communication with a server controlled by the ransomware authors, allowing remote attackers to perform arbitrary actions on an infected host.
“The backdoor [che è] now confirmed, is capable of communicating with the command and control server and executing asynchronously based on the remote attacker's post-exploration objectives“said the researchers.
The disclosure comes as VulnCheck detailed new proofs of concept (PoC) to exploit a serious security flaw affecting Atlassian Confluence Data Center and Confluence Server (CVE-2023-22527) which could lead to remote code execution in a fileless manner and load the Godzilla web shell directly into memory.
The flaw was later used to distribute the C3RB3R ransomware, cryptocurrency miners and remote access Trojans over the past two months, therefore indicating a significant diffusion of this exploitation in the digital world.
“There are more than one way to get to Rome“, has said Jacob Baines of VulnCheck. “While it appears that using freemarker.template.utility.Execute is the popular way to exploit CVE-2023-22527, other more stealthy paths generate different indicators“.
Conclusion
Other similar cases of vulnerability exploitation in software lifecycle management (SDLC) software and ransomware include the use of security flaws in products such as Jenkins, GitLab, and Bitbucket. In these scenarioscybercriminals then aimed to compromise the software development and deployment environment, exploiting security weaknesses to carry out extortion attacks and exfiltrate sensitive data.
It must therefore be said that the adoption of solid security practices and timely application of security patches have become crucial to mitigate the risk of such incidents; although Windows updates (and not only are) “badly seen”, in an ever-evolving digital world, it is important to do them, It is clear, however, that they may have problems every now and then official sites often warn not to update.
#BianLian #ransomware #distributed #TeamCity #platform