By NewsBlogger The BianLian ransomware threat actors have been exploiting security flaws in JetBrains TeamCity software, leading to incidents of server exploitation and the creation of custom backdoors tailored to each victim.
At a glance
- BianLian ransomware exploiting security flaws in JetBrains TeamCity software.
- Threat actors create new users in the build server and execute malicious commands.
- Custom backdoors tailored to each victim are written in Go.
- Proof-of-concept exploits for critical security flaws in Atlassian Confluence.
- BlackCat/ALPHV ransomware operation targeted critical infrastructure and was shut down by law enforcement.
The details
The BianLian ransomware threat actors have exploited security flaws in JetBrains TeamCity software.
A report from GuidePoint Security has detailed an incident involving exploiting a TeamCity server.
The BianLian ransomware emerged in June 2022 and then shifted to exfiltration-based extortion in January 2023. The attack chain involves exploiting vulnerable TeamCity instances using either the CVE-2024-27198 or the CVE-2023-42793 security flaws.
The threat actors create new users in the build server and execute malicious commands for post-exploitation.
It is currently unclear which specific flaw was used for the infiltration.
The BianLian actors are known to implant custom backdoors tailored to each victim, which are written in Go.
Additionally, remote desktop tools such as AnyDesk, Atera, SplashTop, and TeamViewer are dropped during the attack.
A PowerShell backdoor provides functionality similar to the Go backdoor, establishing a TCP socket for network communication with an actor-controlled server.
Proof-of-Concept Exploits
Furthermore, VulnCheck has detailed proof-of-concept exploits for a critical security flaw in Atlassian Confluence Data Center and Confluence Server.
This flaw can lead to remote code execution and load the Godzilla web shell into memory.
It has been exploited to deploy the C3RB3R ransomware, cryptocurrency miners, and remote access trojans.
There are multiple paths for exploiting the CVE-2023-22527 security flaw, each with different indicators.
Ransomware Operations
Moving on to the BlackCat/ALPHV ransomware operation, it was shut down after targeting critical infrastructure and being breached by law enforcement.
The FBI managed to hack the gang’s servers for months, collecting data, decrypting, and seizing the domain of a data leak site.
Following this, BlackCat threatened to target US critical infrastructure in revenge after the FBI seized their Tor onion domain.
An affiliate of BlackCat launched an attack on UnitedHealth Group’s Change Healthcare, causing severe disruptions in the US healthcare system.
Change Healthcare’s parent company paid a $22 million ransom to prevent a data leak and receive a file decryptor.
Subsequently, BlackCat performed an exit scam, stole the ransom, blamed law enforcement, and ultimately shut down.
In addition, the Stormous ransomware gang targeted Duvel, a Belgian beer maker, while the Swiss government warned of 65,000 leaked documents in the Play ransomware attack on Xplain.
Cybercriminals continue to profit from these attacks, with discussions of a federal ban on ransom payments gaining traction.
New ransomware variants such as STOP, SkyNet, GhostSec, StormousX, and Makop have been discovered, each with its own unique characteristics and ransom notes.
Moreover, Duvel Moortgat Brewery was hit by a ransomware attack, leading to a halt in beer production.
Capita confirmed an IT outage caused by a cyber incident, and PCrisk has found new MedusaLocker variants.
The FBI’s Internet Crime Complaint Center released the 2023 Internet Crime Report, noting a 22% increase in reported losses compared to 2022. The National Cyber Security Centre of Switzerland also released a report on a data breach following a ransomware attack on Xplain.
Additionally, the LockBit 3.0 mafia franchise claims business as usual after the Cronos legal operation.
Lastly, technical specifics and a proof-of-concept exploit have been made available for a security flaw in Progress Software OpenEdge Authentication Gateway and AdminServer.
Tracked as CVE-2024-1403, this vulnerability has a maximum severity rating of 10.0 on the CVSS scoring system.
It affects OpenEdge versions 11.7.18 and earlier, 12.2.13 and earlier, and 12.8.0. The flaw may lead to unauthorized access on attempted logins when OEAG is configured with an OpenEdge Domain using the OS local authentication provider.
Progress Software has addressed the vulnerability in versions OpenEdge LTS Update 11.7.19, 12.2.14, and 12.8.1. Horizon3.ai has released a proof-of-concept for CVE-2024-1403, citing a function called connect() as the root cause, which is invoked when a remote connection is made.
Security researcher Zach Hanley believes there may be a potential avenue for remote code execution through built-in functionality with further research efforts.
Article X-ray
Sources
Facts attribution
This section links each of the article’s facts back to its original source.
If you suspect false information in the article, you can use this section to investigate where it came from.
| thehackernews.com |
|---|
| – BianLian ransomware threat actors exploit security flaws in JetBrains TeamCity software – GuidePoint Security report details incident involving exploitation of TeamCity server – BianLian ransomware emerged in June 2022, shifted to exfiltration-based extortion in January 2023 – The attack chain involves exploiting vulnerable TeamCity instances using CVE-2024-27198 or CVE-2023-42793 – Threat actors create new users in build server and execute malicious commands for post-exploitation – Unclear which flaw was used for infiltration – BianLian actors implant custom backdoor tailored to each victim written in Go – Remote desktop tools like AnyDesk, Atera, SplashTop, and TeamViewer are dropped – PowerShell backdoor provides similar functionality to Go backdoor – Backdoor establishes TCP socket for network communication to actor-controlled server – VulnCheck details PoC exploits for critical security flaw in Atlassian Confluence Data Center and Confluence Server – Flaw can lead to remote code execution and load Godzilla web shell into memory – Exploited to deploy C3RB3R ransomware, cryptocurrency miners, and remote access trojans – Multiple paths for exploiting CVE-2023-22527 with different indicators |
| bleepingcomputer.com |
|---|
| – Ransomware operation BlackCat/ALPHV shut down after targeting critical infrastructure and being breached by law enforcement – FBI hacked gang’s servers for months, collected data, and decryptors, and seized the domain of a data leak site – BlackCat vowed to target US critical infrastructure in revenge after FBI seized Tor onion domain – Affiliate of BlackCat attacked UnitedHealth Group’s Change Healthcare, causing severe disruption in US healthcare system – Change Healthcare’s parent company paid a $22 million ransom to prevent data leaks and receive file decryptor – BlackCat performed an exit scam, stole ransom, blamed law enforcement, and shut down – Stormous ransomware gang attacked Duvel Belgian beer maker – The Swiss government warned that 65,000 documents were leaked in a Play ransomware attack on Xplain – Cybercriminals continue to reap financial rewards of attacks, talk of federal ban on ransom payments getting louder – New STOP ransomware variants found by PCrisk – SkyNet variant found by PCrisk appends .payuranson |
| extension and drops a ransom note named SkynetData.txt – GhostSec and Stormous ransomware groups conducted double extortion attacks using GhostLocker and StormousX ransomware programs – New Makop variant found by PCrisk appends .reload |
| extension and drops a ransom note named +README-WARNING+.txt – Duvel Moortgat Brewery hit by ransomware attack, halting beer production – Capita confirmed IT outage caused by cyber incident – New MedusaLocker variants found by PCrisk append .genesis15 and .duralock05 extensions and drop ransom note named HOW_TO_BACK_FILES.html – FBI’s Internet Crime Complaint Center released the 2023 Internet Crime Report, which recorded 22% increase in reported losses compared to 2022 – National Cyber Security Centre of Switzerland released a report on a data breach following a ransomware attack on Xplain – LockBit 3.0 mafia franchise claims business continues as usual after Cronos legal operation – Optum’s Change Healthcare bringing systems back online after BlackCat ransomware attack led to widespread disruption in US healthcare system |
| thehackernews.com |
|---|
| – Technical specifics and a PoC exploit have been made available for a security flaw in Progress Software OpenEdge Authentication Gateway and AdminServer – The vulnerability is tracked as CVE-2024-1403 and has a maximum severity rating of 10.0 on the CVSS scoring system – It impacts OpenEdge versions 11.7.18 and earlier, 12.2.13 and earlier, and 12.8.0 – The flaw may lead to unauthorized access on attempted logins when OEAG is configured with an OpenEdge Domain using the OS local authentication provider – Progress Software has addressed the vulnerability in versions |
| OpenEdge LTS Update 11.7.19, 12.2.14, and 12.8.1 – Horizon3.ai has released a PoC for CVE-2024-1403, stating the issue is rooted in a function called connect() that’s invoked when a remote connection is made – The function authorizeUser() validates credentials and passes control to authenticate the user if the username matches “NT AUTHORITY\SYSTEM” – Security researcher Zach Hanley believes there may be an avenue to remote code execution via built-in functionality with enough research effort |
