DevSecOps , Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development
Ransomware Actors Exploit Critical Bug, Target DevOps Tool
Multiple Organizations Victimized Over the WeekendRansomware hackers are using a critical flaw in a DevOps tool days after developer JetBrains issued a critical security update to patch its TeamCity build management and continuous integration server.
See Also: Mitigating Identity Risks, Lateral Movement and Privilege Escalation
JetBrains disclosed on Sept. 20 a vulnerability tracked as CVE-2023-42793 allowing remote code execution on its continuous integration and continuous delivery/continuous deployment servers.
"Many popular ransomware groups started to weaponize CVE-2023-42793 and added the exploitation phase in their workflow," said threat intelligence firm Prodaft on social media network X, formerly known as Twitter.
The firm said it had detected multiple organizations affected over the last three days by hackers exploiting the bug. "Unfortunately, most of them will have a huge headache in the upcoming weeks," Prodaft said.
The vulnerability allows unauthenticated attackers to execute arbitrary code on the TeamCity on-premises server. Attackers can steal source code, service secrets and private keys, said SonarSource, which first identified the flaw.
The vulnerability affects all prior versions of TeamCity's on-premises CI/CD server, used by 30,000 users worldwide. Servers such as TeamCity are high-value targets for attackers.
The Shadowserver Foundation, which tracks malicious activity, on Sunday traced nearly 1,300 unpatched TeamCity servers, most of them in the United States.
At least 74 unique IP addresses have targeted internet-exposed JetBrains TeamCity servers, according to threat intelligence firm GreyNoise.
Rapid7 disclosed an exploit for the vulnerability that works against both Windows and Linux targets, the cybersecurity company said.