The new backdoor BianDoor finds an individual approach for each victim.
The information security company GuidePoint Security has discovered that the BianLian group exploits vulnerabilities in the JetBrains TeamCity software to conduct ransomware attacks.
Experts recorded a chain of attacks starting with the operation of a TeamCity instance through vulnerabilities CVE-2024-27198 (CVSS score: 9.8) or CVE-2023-42793 (CVSS score: 9.8), which allowed attackers to gain initial access to the system, create new accounts on the build server, and execute malicious commands for subsequent penetration and movement inside the network. At the moment, it is unclear which of the two flaws was used for penetration.
The main feature of BianLian attacks is the use of a Go backdoor specially designed for each victim, as well as the introduction of remote access tools such as AnyDesk, Atera, SplashTop, and TeamViewer.
The BianLian backdoor is tracked by Microsoft as BianDoor. After several unsuccessful attempts to use the standard Go backdoor, cybercriminals switched to the Living off the Land (LotL) method and used the implementation of their backdoor in PowerShell, which provides almost identical functionality. An obfuscated PowerShell backdoor creates a TCP socket for additional communication with the Command and Control server (C2), allowing hackers to perform arbitrary actions on an infected host for the purpose of extortion.
Note that CVE-2023-42793 has already been used in attacks on uncorrected TeamCity servers. Exploiting the vulnerability allows an unauthenticated hacker to achieve Remote Code Execution (RCE) without user interaction. As stated by the CISA agency, gaining access to TeamCity allows an attacker to increase their privileges, navigate through networks, install additional backdoors and provide long-term access to compromised networks, in particular, to the networks of software developers.
The CVE-2024-27198 bug was discovered in early March and affects all versions of TeamCity On-Premises up to and including 2023.11.3. The vulnerability allows an unauthenticated attacker with HTTP(S) access to the TeamCity server to bypass authentication and gain administrative control over the server. Compromising the TeamCity server allows an attacker to fully control all TeamCity projects, builds, agents, and artifacts, making it a suitable tool for conducting attacks on supply chains.
The information security company GuidePoint Security has discovered that the BianLian group exploits vulnerabilities in the JetBrains TeamCity software to conduct ransomware attacks.
Experts recorded a chain of attacks starting with the operation of a TeamCity instance through vulnerabilities CVE-2024-27198 (CVSS score: 9.8) or CVE-2023-42793 (CVSS score: 9.8), which allowed attackers to gain initial access to the system, create new accounts on the build server, and execute malicious commands for subsequent penetration and movement inside the network. At the moment, it is unclear which of the two flaws was used for penetration.
The main feature of BianLian attacks is the use of a Go backdoor specially designed for each victim, as well as the introduction of remote access tools such as AnyDesk, Atera, SplashTop, and TeamViewer.
The BianLian backdoor is tracked by Microsoft as BianDoor. After several unsuccessful attempts to use the standard Go backdoor, cybercriminals switched to the Living off the Land (LotL) method and used the implementation of their backdoor in PowerShell, which provides almost identical functionality. An obfuscated PowerShell backdoor creates a TCP socket for additional communication with the Command and Control server (C2), allowing hackers to perform arbitrary actions on an infected host for the purpose of extortion.
Note that CVE-2023-42793 has already been used in attacks on uncorrected TeamCity servers. Exploiting the vulnerability allows an unauthenticated hacker to achieve Remote Code Execution (RCE) without user interaction. As stated by the CISA agency, gaining access to TeamCity allows an attacker to increase their privileges, navigate through networks, install additional backdoors and provide long-term access to compromised networks, in particular, to the networks of software developers.
The CVE-2024-27198 bug was discovered in early March and affects all versions of TeamCity On-Premises up to and including 2023.11.3. The vulnerability allows an unauthenticated attacker with HTTP(S) access to the TeamCity server to bypass authentication and gain administrative control over the server. Compromising the TeamCity server allows an attacker to fully control all TeamCity projects, builds, agents, and artifacts, making it a suitable tool for conducting attacks on supply chains.
