Hackers are massively exploiting vulnerabilities recently found in JetBrains’ TeamCity On-Premises CI/CD platform. According to LeakIX and GreyNoise, as many as 1,400 of the 1,700 unpatched instances have been compromised.
The critical vulnerabilities CVE-2024-27198 and CVE-2024-27199 recently found in the platform are now being massively exploited. The CVE-2024-27198 vulnerability is particularly so, LeakIX researchers note.
Hackers are said to have created hundreds of new users on unpatched TeamCity On-Prem servers by exploiting the vulnerabilities. On average, this involves 3 to 300 new users. The pattern used in the process is 8 alphanumeric characters.
Just over 1,700 TeamCity On-Prem servers have yet to receive the update. Of these, 1,400 have probably already been compromised. The most vulnerable servers are in Germany, the U.S., Russia, China, the Netherlands, and France.
Greynoise confirms the observations. This monitoring platform noted that early this week, the number of exploit attempts for CVE-2024-27198 increased sharply, especially for instances located in the DigitalOcean hosting infrastructure in the US.
Mainly production servers affected
LeakIX states that production servers for building and deploying software are most affected. This means that the breaches could potentially lead to supply-chain attacks. These breaches often contain sensitive (login) data for the environments in which the code is deployed, published, and/or stored. Think of retail environments, marketplaces, repositories, and corporate infrastructure.
Patch now available
In mid-February, Rapid7’s security specialists discovered the highly critical CVE-2024-27198 and CVE-2024-27199 vulnerabilities in JetBrains’ TeamCity On-Premises. The DevOps specialist indicates that all versions of this CI/CD platform up to v2023.11.4 are vulnerable to this.
Only the on-premises version of TeamCity is affected. The TeamCity Cloud version has since been patched, and no breaches have been detected.
Meanwhile, two more known vulnerabilities for TeamCity On-Premises have been discovered: CWE-288 and CWE-23. These vulnerabilities allow unauthenticated attackers to use HTTPS to access TeamCity servers, bypassing authentication. This allows them to take control of the affected TeamCity servers.
A patch for CVE-2024-27198 has been available since early this week. JetBrains urges customers to install it as soon as possible or better yet, upgrade to version v2023.11.4.
Also read: JetBrains tests new terminal in all IDEs
1 day ago
