Network Security, Vulnerability Management, Patch/Configuration Management

BianLian ransomware crew exploiting bugs in JetBrains’ TeamCity platform

Share
Computer repair concept. Hardware or software error.

The BianLian ransomware gang is exploiting known bugs in JetBrains’ TeamCity software development platform to gain initial access to victims’ systems.

Researchers at GuidePoint Security said they recently observed an intrusion where BianLian attempted to deploy several malicious tools, including a novel PowerShell backdoor, after accessing a victim’s TeamCity server.

“As we have seen throughout 2023 and into 2024, BianLian continues to prove how they can adapt to a changing environment, especially in regards to the exploitation of emerging vulnerabilities,” the researchers said in a March 8 blog post.

TeamCity flaws expose supply chain attack risk

The threat group’s TeamCity hack involved exploiting one of two critical severity authentication bypass vulnerabilities, one of which was patched this month (CVE-2024-27198) and the other last September (CVE-2023-42793).

“The threat actor identified a vulnerable TeamCity server and leveraged CVE-2024-27198/CVE-2023-42793 for initial access into the environment, creating users in TeamCity and invoking malicious commands under the TeamCity product’s service account,” GuidePoint Security’s researchers said.

“The logs required to determine which of the two CVEs the threat actor exploited were not available at the time of analysis.”

BianLian is known for deploying a custom backdoor, written in Go and specific to each of its victims, before installing remote management and access software for persistence and command and control. But GuidePoint Security observed a change of approach used in the TeamCity attack.

“After multiple failed attempts to execute their standard Go backdoor, the threat actor pivoted to living-off-the-land and leveraged a PowerShell implementation of their backdoor, which provides an almost identical functionality to what they would have with their Go backdoor,” the researchers said.

TeamCity manages organizations’ Continuous Integration and Continuous Deployment (CI/CD) software development pipeline — the process of building, testing and deploying code. The platform is used by about 30,000 organizations.

Compromising a TeamCity server could give threat actors access to a victim organization’s source code and signing certificates, giving them the ability to subvert software compilation and deployment processes to launch a supply chain attack, security and law enforcement agencies warned in December.

Adaptability makes BianLian a top 10 ransomware gang

Given its propensity to exploit the latest vulnerabilities, BianLian aptly takes its name from the ancient Chinese dramatic art of “face-changing” where performers wear brightly costumes and several masks that are quickly changed.

The gang emerged in 2022 as a double extortion ransomware group, demanding payment from victims to unlock encrypted files while using the threat of selling or publishing exfiltrating data as additional leverage.

But when Avast published a decryptor for the group’s encryption malware early last year, BianLian switched to only extorting payments to prevent data leaks.

According to a January analysis by Palo Alto Networks’ Unit 42, the group was one of the top 10 most active ransomware operators in 2023, based on the number of victims posted on its leak site. It primarily targeted the healthcare, manufacturing, professional and legal services sectors, mainly in the U.S. and Europe.

“Maintaining their tactics, techniques and procedures (TTPs) of infiltrating corporate networks, the BianLian group has shown adaptiveness to the ransomware market demands,” Unit 42’s researchers said in their analysis.

An In-Depth Guide to Network Security

Get essential knowledge and practical strategies to fortify your network security.
Simon Hendery

Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.