DevSecOps , Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development

Ransomware Actors Exploit Critical Bug, Target DevOps Tool

Multiple Organizations Victimized Over the Weekend
Ransomware Actors Exploit Critical Bug, Target DevOps Tool
Image: Shutterstock

Ransomware hackers are using a critical flaw in a DevOps tool days after developer JetBrains issued a critical security update to patch its TeamCity build management and continuous integration server.

See Also: Mitigating Identity Risks, Lateral Movement and Privilege Escalation

JetBrains disclosed on Sept. 20 a vulnerability tracked as CVE-2023-42793 allowing remote code execution on its continuous integration and continuous delivery/continuous deployment servers.

"Many popular ransomware groups started to weaponize CVE-2023-42793 and added the exploitation phase in their workflow," said threat intelligence firm Prodaft on social media network X, formerly known as Twitter.

The firm said it had detected multiple organizations affected over the last three days by hackers exploiting the bug. "Unfortunately, most of them will have a huge headache in the upcoming weeks," Prodaft said.

The vulnerability allows unauthenticated attackers to execute arbitrary code on the TeamCity on-premises server. Attackers can steal source code, service secrets and private keys, said SonarSource, which first identified the flaw.

The vulnerability affects all prior versions of TeamCity's on-premises CI/CD server, used by 30,000 users worldwide. Servers such as TeamCity are high-value targets for attackers.

The Shadowserver Foundation, which tracks malicious activity, on Sunday traced nearly 1,300 unpatched TeamCity servers, most of them in the United States.

At least 74 unique IP addresses have targeted internet-exposed JetBrains TeamCity servers, according to threat intelligence firm GreyNoise.

Rapid7 disclosed an exploit for the vulnerability that works against both Windows and Linux targets, the cybersecurity company said.


About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.