The cybercriminal group BianLian, recognized for their ransomware assaults, has garnered attention from the information security community. Exploiting vulnerabilities within the JetBrains TeamCity platform, they executed multistage cyberattacks. Their modus operandi begins with deploying a Golang-based backdoor, progressing through various stages until reaching the ransomware payload.
BIANLIAN EXPLOITS TEAMCITY VULNERABILITIES
Recent research has unveiled a new tactic in BianLian’s operations. It has been revealed that the ransomware group exploits security vulnerabilities in JetBrains TeamCity software for their attacks.
Leveraging known vulnerabilities like CVE-2024-27198 or CVE-2023-42793, attackers gain initial access to the environment, facilitating further infiltration. Through the creation of new users and execution of malicious commands within the TeamCity infrastructure, threat actors orchestrate post-exploitation maneuvers and lateral movement, thereby expanding their foothold in the victim’s network.
According to the initial report from GuidePoint Security, BianLian initially succeeded but later reverted to using a PowerShell version of their backdoor. This decision was prompted by unexpected detection from Microsoft Defender. Concurrently, the hackers deployed network reconnaissance tools and utilized them before resorting to a PowerShell backdoor.
The PowerShell backdoor described above primarily aims to enable covert access and control over compromised systems. A research summary highlights several features of this malware to be mindful of.
The backdoor includes functionality to resolve IP addresses based on provided parameters, establishing TCP sockets for communication with remote command-and-control (C2) servers. Additionally, this facilitates bidirectional data exchange between the compromised system and the attacker-controlled infrastructure. Below is the code recovered by analysts:
#Function to Resolve IP address
function cakest{
param($Cakes_Param_1)
IF ($Cakes_Param_1 -as [ipaddress]){
return $Cakes_Param_1
}else{
$Cakes_Resolved_IP = [System.Net.Dns]::GetHostAddresses($Cakes_Param_1)[0].IPAddressToString;
}
return $Cakes_Resolved_ IP
}
Utilizing asynchronous execution techniques, the backdoor enhances performance and avoids detection by leveraging Runspace Pools. This enables multiple PowerShell instances to run concurrently, improving operational efficiency during post-exploitation activities.
Furthermore, to ensure secure communication, the backdoor establishes SSL streams between the compromised system and C2 servers, encrypting data exchanged over the network. Through encryption, threat actors mitigate the risk of interception and detection by network monitoring tools. The following code reflects the C2 communication:
function cookies{
param (
#Default IP in parameter = 127.0.0.1
[String]$Cookies_Param1 – “0x7F000001”,
[Int]$Cookies_Param2 – 1080,
[Switch]$Cookies_Param3 – $false,
[String]$Cookies_Param4 – “”,
[Int]$Cookies_Params – 200,
[Int]$Cookies_Param6 – 0
)
Adopting tactics observed in advanced malware, the backdoor verifies SSL certificates presented by C2 servers, ensuring the authenticity of remote endpoints. This authentication mechanism bolsters the resilience of the communication channel against potential interception or infiltration attempts.
Recommendation
To protect yourself from BianLian Exploits TeamCity Vulnerability, consider the following measures:
- Apply Security Patches: Ensure that your TeamCity software is up to date with the latest security patches provided by JetBrains. Regularly check for updates and apply them promptly to mitigate known vulnerabilities.
- Network Segmentation: Implement network segmentation to isolate critical systems and sensitive data from potentially compromised areas of your network. This can help prevent the spread of malware in case of a successful attack.
- Monitor Network Traffic: Monitor your network traffic for any suspicious activity, such as unusual connections or traffic patterns. Use intrusion detection and prevention systems to detect and block malicious traffic.
- Use Access Controls: Implement strong access controls and least privilege principles to limit the exposure of sensitive systems and data. Only grant access to TeamCity servers to authorized users who require it for their job responsibilities.
- Security Awareness Training: Educate your employees about the risks of phishing attacks and social engineering tactics used by cybercriminals to exploit vulnerabilities. Encourage them to be cautious when opening email attachments or clicking on links, especially from unknown sources.
- Penetration Testing: Conduct regular penetration testing and vulnerability assessments to identify and address security weaknesses in your TeamCity environment before they can be exploited by attackers.
- Backup Data: Regularly back up your critical data and ensure that backups are stored securely offline. This can help you recover your data in case of a ransomware attack or data breach.
Leave A Comment