Hackers exploit latest TeamCity auth bypass bug to create hundreds of admin accounts

Hackers have started to exploit the critical-severity authentication bypass vulnerability (CVE-2024-27198) in TeamCity On-Premises, which JetBrains addressed in an update on Monday.

Exploitation appears to be massive, with hundreds of new users created on unpatched instances of TeamCity exposed on the public web.

Risk of supply-chain attacks

LeakIX, a search engine for exposed device misconfigurations and vulnerabilities, told BleepingComputer that a little over 1,700 TeamCity servers have yet to receive the fix.

TeamCity installations vulnerable to auth bypass bug CVE-2024-27198
TeamCity installations vulnerable to auth bypass bug CVE-2024-27198
source: LeakIX

Most of the vulnerable hosts indexed by LeakIX are in Germany, the United States, and Russia, followed at a distance by China, the Netherlands, and France.

Of these, the platform indicates that hackers have already compromised more than 1,440 instances.

"There are between 3 and 300 hundreds users created on compromised instances, usually the pattern is 8 alphanum characters," LeakIX told BleepingComputer.

TeamCity instances already compromise through CVE-2024-27198
TeamCity instances already compromise through CVE-2024-27198
source: LeakIX

GreyNoise, a company that analyzes internet scanning traffic, also recorded on March 5 a sharp increase in attempts to exploit CVE-2024-27198.

According to GreyNoise statistics, most attempts come from systems in the United States on the DigitalOcean hosting infrastructure.

Gregory Boddin of LeakIX told BleepingComputer that the TeamCity servers observed are production machines used to build and deploy software.

This means that compromising them could lead to supply-chain attacks as they may contain sensitive details such as credentials for the environments where code is deployed, published, or stored (e.g. stores and marketplaces, repositories, company infrastructure).

Cybersecurity company Rapid7 expressed the same concern in a blog post analyzing the vulnerability and the ways it can be leveraged in attacks

“Compromising a TeamCity server allows an attacker full control over all TeamCity projects, builds, agents and artifacts, and as such is a suitable vector to position an attacker to perform a supply chain attack” - Rapid7

Urgent TeamCity update

CVE-2024-27198 has a critical severity score of 9.8 out of 10 and affects all releases up to 2023.11.4 of the on-premise version of TeamCity.

It is present in the web component of the server and can allow a remote, unauthenticated attacker to take control of a vulnerable server with administrative privileges.

Discovered by Stephen Fewer, a principal security researcher at Rapid7, the vulnerability was reported to JetBrains in mid-February and fixed on March 4.

Rapid7 has published complete technical details on what causes the issue and demonstrated how an attacker could exploit it to achieve remote code execution.

JetBrains annonuced on Monday the release of TeamCity 2023.11.4 with a fix for CVE-2024-27198, encouraging all users to update instances to the latest version.

With massive exploitation already observed, administrators of on-premise TeamCity instances should take urgent steps towards installing the newest release.

Related Articles:

Exploit available for new critical TeamCity auth bypass bug, patch now

Hackers hijack OpenMetadata apps in Kubernetes cryptomining attacks

Palo Alto Networks fixes zero-day exploited to backdoor firewalls

Critical RCE bug in 92,000 D-Link NAS devices now exploited in attacks

CISA tags Microsoft SharePoint RCE bug as actively exploited