Suspicious Child Processes Spawned by JetBrains TeamCity

hello@craftedsignal.io — Wed, 15 May 2024 12:00:00 +0000

JetBrains TeamCity is a continuous integration and deployment server, making it a high-value target for attackers. Exploitation of TeamCity vulnerabilities can lead to remote code execution, enabling adversaries to compromise the software development pipeline. This activity is detected by monitoring for suspicious child processes initiated by the TeamCity Java executable, focusing on executables like cmd.exe, powershell.exe, and msiexec.exe. The detection logic excludes legitimate operations to reduce false positives. This activity can lead to complete compromise of the build environment, allowing attackers to inject malicious code into software builds.

Attack Chain

Initial Access: An attacker exploits a vulnerability (e.g., CVE-2023-42793) in the TeamCity server to gain initial access.
Code Execution: The attacker leverages the vulnerability to execute arbitrary code on the TeamCity server.
Process Spawning: The attacker spawns a command interpreter, such as cmd.exe or powershell.exe, from the TeamCity Java process (java.exe).
Discovery: The attacker uses discovery commands via the spawned shell to enumerate users, network configuration, and running processes using tools like whoami.exe, ipconfig.exe, and tasklist.exe.
Defense Evasion: The attacker leverages system binary proxy execution using tools like mshta.exe or regsvr32.exe to evade detection.
Persistence: While not explicitly mentioned, the attacker could establish persistence by creating scheduled tasks or modifying registry keys via spawned processes.
Lateral Movement: The attacker uses discovered credentials to move laterally to other systems within the network.
Impact: The attacker injects malicious code into software builds, compromises sensitive data, or deploys ransomware.

Impact

Successful exploitation of JetBrains TeamCity can lead to a full compromise of the software development lifecycle, resulting in supply chain attacks. Attackers can inject malicious code into software builds, leading to widespread distribution of compromised software. While specific victim counts are unavailable, this type of attack has the potential to affect numerous organizations relying on the compromised software. The Trend Micro research indicates that TeamCity vulnerability exploits can lead to Jasmin ransomware deployment.

Recommendation

Deploy the “Suspicious JetBrains TeamCity Child Process” rule to your SIEM to detect potential exploitation attempts.
Enable Sysmon process creation logging to capture process execution events, which are essential for triggering the detection rule.
Review and patch any known vulnerabilities in JetBrains TeamCity, focusing on remote code execution flaws as described in the referenced Trend Micro report.
Implement network segmentation to limit the impact of a compromised TeamCity server and prevent lateral movement.
Continuously monitor TeamCity server logs for any unusual activity or unauthorized access attempts.
Tune the “Suspicious JetBrains TeamCity Child Process” rule by creating exceptions for legitimate build scripts that invoke command-line utilities to reduce false positives, as mentioned in the rule’s documentation.

JetBrains TeamCity Relative Path Traversal Vulnerability (CVE-2024-27199)

hello@craftedsignal.io — Mon, 29 Apr 2024 12:00:00 +0000

CVE-2024-27199 is a relative path traversal vulnerability affecting JetBrains TeamCity, a continuous integration and deployment server. This vulnerability allows attackers to perform limited administrative actions by manipulating file paths. JetBrains released a patch for this vulnerability in version 2023.11.4. CISA has added CVE-2024-27199 to its Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild, including its use in ransomware attacks. The vulnerability poses a significant risk to organizations using TeamCity, potentially leading to unauthorized access, data breaches, and system compromise.

Attack Chain

The attacker identifies a vulnerable TeamCity server exposed to the internet.
The attacker crafts a malicious HTTP request containing a relative path traversal sequence (e.g., ../../) within a URL parameter related to administrative functions.
The TeamCity server processes the crafted request without proper sanitization of the file path.
The relative path traversal allows the attacker to access or modify restricted files or directories outside the intended scope.
The attacker leverages the ability to perform limited admin actions, potentially modifying user permissions or injecting malicious code.
The attacker escalates privileges, gaining full control over the TeamCity server.
The attacker deploys ransomware to connected systems, encrypting data and demanding a ransom for its release.

Impact

Successful exploitation of CVE-2024-27199 can lead to complete compromise of the TeamCity server and connected build agents. Due to TeamCity’s central role in software development and deployment pipelines, this can lead to significant disruption, data loss, and potential supply chain attacks. The vulnerability has been linked to ransomware attacks, causing financial losses, reputational damage, and operational downtime for affected organizations.

Recommendation

Apply the vendor-supplied patch by upgrading to TeamCity version 2023.11.4 or later to remediate CVE-2024-27199 (https://www.jetbrains.com/privacy-security/issues-fixed/).
Deploy the Sigma rules provided in this brief to detect exploitation attempts against TeamCity servers.
Follow CISA’s BOD 22-01 guidance for cloud services to ensure proper security configurations and monitoring are in place.

TeamCity — CraftedSignal Threat Feed

Suspicious Child Processes Spawned by JetBrains TeamCity

Attack Chain

Impact

Recommendation

JetBrains TeamCity Relative Path Traversal Vulnerability (CVE-2024-27199)

Attack Chain

Impact

Recommendation