Security experts have warned that cyber criminals are exploiting a critical TeamCity vulnerability en masse. Hackers are creating hundreds of new user accounts on compromised servers. 

TeamCity as a target

First released in 2006, the popular commercial software known as TeamCity enables developers to create and test software in an automated fashion.

It offers feedback on code changes and reduces code integration problems. It also has native support for Jira, Visual Studio, Bugzilla (bug tracking), Maven (build automation), and more than a dozen other tools.

TeamCity has been used to build everything from websites to banking systems. According to parent company JetBrains, over 30,000 organizations rely on TeamCity. But the tool’s popularity has presented security challenges.

In late 2023, experts raised concerns about APT29‘s active exploitation of a similar vulnerability in the TeamCity product. The current vulnerability, well, keep reading…

Current vulnerability details

The new vulnerability is listed as CVE-2024-27198. It’s an authentication bypass vulnerability in the web component of TeamCity on-premises.

As noted previously, the vulnerability is being exploited on a large-scale, which involves the creation of numerous new users on unpatched instances of TeamCity that are exposed on the public web.

Risk to supply chain

JetBrains did address the issue with a fix on Monday. However, more than 1,700 organizations have yet to receive the software update.

The vulnerable hosts are primarily located in Germany, the United States and Russia, with a few in China, the Netherlands and France. Of these, researchers believe that cyber criminals have already compromised more than 1,440 instances.

“There are between 3 and 300 users created on compromised instances, usually the pattern is 8 alphanum characters,” said a spokesperson from LeakIX, a search engine for exposed device misconfiguations and vulnerabilities.

The compromise of production machines used to build and deploy software (as TeamCity provides) could lead to supply chain attacks, as they may contain sensitive information about the environments where code is deployed, published or stored. Hackers could potentially extract information, reconfigure details and/or deploy a significant malware-based threat.

March 5th 2024: On March 5th, experts recorded a sharp spike in attempts to exploit CVE-2024-27198. The majority of attempts came from systems in the United States; on the DigitalOcean hosting infrastructure.

Unauthorized access to a TeamCity server could grant an attacker complete control over all aspects of projects — builds, agents and artifacts. Consequently, it serves as a suitable means through which to position an attacker to execute a supply chain attack.

Urgent update

The severity score for CVE-2024-27198 is 9.8 out of 10. The bug affects all TeamCity releases up to 2023.11.4 of the on-premise version.

Due to the widespread vulnerability exploitation, administrators of on-premise TeamCity instances are advised to take immediate steps surrounding the installation of the newest updates.

This incident underscores the importance of addressing vulnerabilities in a timely manner. It also speaks to the need to implement proactive threat detection mechanisms.

For further information about the TeamCity vulnerability, click here. Lastly, subscribe to the CyberTalk.org newsletter for more timely info, interviews and cutting-edge analyses, delivered straight to your inbox each week.