{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/jetbrains/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2023-42793"}],"_cs_exploited":false,"_cs_products":["TeamCity"],"_cs_severities":["medium"],"_cs_tags":["teamcity","supply-chain","initial-access"],"_cs_type":"advisory","_cs_vendors":["JetBrains"],"content_html":"\u003cp\u003eJetBrains TeamCity is a continuous integration and deployment server, making it a high-value target for attackers. Exploitation of TeamCity vulnerabilities can lead to remote code execution, enabling adversaries to compromise the software development pipeline. This activity is detected by monitoring for suspicious child processes initiated by the TeamCity Java executable, focusing on executables like \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, and \u003ccode\u003emsiexec.exe\u003c/code\u003e. The detection logic excludes legitimate operations to reduce false positives. This activity can lead to complete compromise of the build environment, allowing attackers to inject malicious code into software builds.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker exploits a vulnerability (e.g., CVE-2023-42793) in the TeamCity server to gain initial access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Execution:\u003c/strong\u003e The attacker leverages the vulnerability to execute arbitrary code on the TeamCity server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eProcess Spawning:\u003c/strong\u003e The attacker spawns a command interpreter, such as \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e, from the TeamCity Java process (\u003ccode\u003ejava.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker uses discovery commands via the spawned shell to enumerate users, network configuration, and running processes using tools like \u003ccode\u003ewhoami.exe\u003c/code\u003e, \u003ccode\u003eipconfig.exe\u003c/code\u003e, and \u003ccode\u003etasklist.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e The attacker leverages system binary proxy execution using tools like \u003ccode\u003emshta.exe\u003c/code\u003e or \u003ccode\u003eregsvr32.exe\u003c/code\u003e to evade detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e While not explicitly mentioned, the attacker could establish persistence by creating scheduled tasks or modifying registry keys via spawned processes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker uses discovered credentials to move laterally to other systems within the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker injects malicious code into software builds, compromises sensitive data, or deploys ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of JetBrains TeamCity can lead to a full compromise of the software development lifecycle, resulting in supply chain attacks. Attackers can inject malicious code into software builds, leading to widespread distribution of compromised software. While specific victim counts are unavailable, this type of attack has the potential to affect numerous organizations relying on the compromised software. The Trend Micro research indicates that TeamCity vulnerability exploits can lead to Jasmin ransomware deployment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Suspicious JetBrains TeamCity Child Process\u0026rdquo; rule to your SIEM to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture process execution events, which are essential for triggering the detection rule.\u003c/li\u003e\n\u003cli\u003eReview and patch any known vulnerabilities in JetBrains TeamCity, focusing on remote code execution flaws as described in the referenced Trend Micro report.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a compromised TeamCity server and prevent lateral movement.\u003c/li\u003e\n\u003cli\u003eContinuously monitor TeamCity server logs for any unusual activity or unauthorized access attempts.\u003c/li\u003e\n\u003cli\u003eTune the \u0026ldquo;Suspicious JetBrains TeamCity Child Process\u0026rdquo; rule by creating exceptions for legitimate build scripts that invoke command-line utilities to reduce false positives, as mentioned in the rule\u0026rsquo;s documentation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-15T12:00:00Z","date_published":"2024-05-15T12:00:00Z","id":"/briefs/2024-05-jetbrains-teamcity-suspicious-child-process/","summary":"Detection of suspicious processes spawned by JetBrains TeamCity indicates potential exploitation of remote code execution vulnerabilities, with attackers using command interpreters and system binaries for malicious purposes.","title":"Suspicious Child Processes Spawned by JetBrains TeamCity","url":"https://feed.craftedsignal.io/briefs/2024-05-jetbrains-teamcity-suspicious-child-process/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2024-27199"}],"_cs_exploited":true,"_cs_products":["TeamCity"],"_cs_severities":["critical"],"_cs_tags":["cve-2024-27199","path-traversal","ransomware","jetbrains"],"_cs_type":"threat","_cs_vendors":["JetBrains"],"content_html":"\u003cp\u003eCVE-2024-27199 is a relative path traversal vulnerability affecting JetBrains TeamCity, a continuous integration and deployment server. This vulnerability allows attackers to perform limited administrative actions by manipulating file paths. JetBrains released a patch for this vulnerability in version 2023.11.4. CISA has added CVE-2024-27199 to its Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild, including its use in ransomware attacks. The vulnerability poses a significant risk to organizations using TeamCity, potentially leading to unauthorized access, data breaches, and system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable TeamCity server exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request containing a relative path traversal sequence (e.g., \u003ccode\u003e../../\u003c/code\u003e) within a URL parameter related to administrative functions.\u003c/li\u003e\n\u003cli\u003eThe TeamCity server processes the crafted request without proper sanitization of the file path.\u003c/li\u003e\n\u003cli\u003eThe relative path traversal allows the attacker to access or modify restricted files or directories outside the intended scope.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the ability to perform limited admin actions, potentially modifying user permissions or injecting malicious code.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges, gaining full control over the TeamCity server.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys ransomware to connected systems, encrypting data and demanding a ransom for its release.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2024-27199 can lead to complete compromise of the TeamCity server and connected build agents. Due to TeamCity\u0026rsquo;s central role in software development and deployment pipelines, this can lead to significant disruption, data loss, and potential supply chain attacks. The vulnerability has been linked to ransomware attacks, causing financial losses, reputational damage, and operational downtime for affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the vendor-supplied patch by upgrading to TeamCity version 2023.11.4 or later to remediate CVE-2024-27199 (\u003ca href=\"https://www.jetbrains.com/privacy-security/issues-fixed/\"\u003ehttps://www.jetbrains.com/privacy-security/issues-fixed/\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to detect exploitation attempts against TeamCity servers.\u003c/li\u003e\n\u003cli\u003eFollow CISA\u0026rsquo;s BOD 22-01 guidance for cloud services to ensure proper security configurations and monitoring are in place.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-04-29T12:00:00Z","date_published":"2024-04-29T12:00:00Z","id":"/briefs/2024-04-teamcity-path-traversal/","summary":"A relative path traversal vulnerability in JetBrains TeamCity (CVE-2024-27199) could allow limited administrative actions and has been linked to ransomware attacks.","title":"JetBrains TeamCity Relative Path Traversal Vulnerability (CVE-2024-27199)","url":"https://feed.craftedsignal.io/briefs/2024-04-teamcity-path-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","Corretto JDK","UEM Proxy Server","UEM Core","dbeaver.exe","Docker","Chrome","Internet Explorer","PyCharm Community Edition","Firefox","VirtualBox","Puppet","nexpose","Silverfort AD Adapter","Nessus","VMware View","Advanced Port Scanner","DesktopCentral Agent","LanGuard","SAP BusinessObjects","SuperScan","ZSATunnel"],"_cs_severities":["medium"],"_cs_tags":["kerberoasting","credential-access","lateral-movement","windows"],"_cs_type":"threat","_cs_vendors":["Elastic","SentinelOne","Amazon","BlackBerry","DBeaver","Docker","Google","Microsoft","JetBrains","Mozilla","Oracle","Puppet Labs","Rapid7","Silverfort","Tenable","VMware","GFI","SAP","Zscaler"],"content_html":"\u003cp\u003eThis detection identifies unusual processes initiating network connections to the standard Kerberos port (88) on Windows systems. Typically, the \u003ccode\u003elsass.exe\u003c/code\u003e process handles Kerberos traffic on domain-joined hosts. The rule aims to detect processes other than \u003ccode\u003elsass.exe\u003c/code\u003e communicating with the Kerberos port, which could indicate malicious activity such as Kerberoasting (T1558.003) or Pass-the-Ticket (T1550.003). The detection is designed to work with data from Elastic Defend and SentinelOne Cloud Funnel. This can help security teams identify potential credential access attempts and lateral movement within the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises a user account or system within the domain.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a malicious binary or script (e.g., PowerShell) on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe malicious process attempts to request Kerberos service tickets (TGS) for various services within the domain. This is done by connecting to the Kerberos port (88) on a domain controller.\u003c/li\u003e\n\u003cli\u003eThe attacker uses tools like \u003ccode\u003eRubeus\u003c/code\u003e or \u003ccode\u003eKerberoast.ps1\u003c/code\u003e to enumerate and request TGS tickets.\u003c/li\u003e\n\u003cli\u003eThe unusual process (not \u003ccode\u003elsass.exe\u003c/code\u003e) sends Kerberos traffic to the domain controller.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the Kerberos tickets from memory or network traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker cracks the offline TGS tickets to obtain service account passwords (Kerberoasting).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised service account credentials to move laterally within the network or access sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful Kerberoasting or Pass-the-Ticket attack can lead to unauthorized access to sensitive resources and lateral movement within the network. Attackers can compromise service accounts with elevated privileges, potentially leading to domain-wide compromise. Detection of this behavior can prevent attackers from gaining access to critical assets. While the exact number of victims and sectors targeted are unknown, this technique is widely used by various threat actors in targeted attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Kerberos Traffic from Unusual Process\u0026rdquo; Sigma rule to your SIEM and tune for your environment. Enable network connection logging to capture the necessary traffic.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on the process execution chain and potential malicious binaries.\u003c/li\u003e\n\u003cli\u003eReview event ID 4769 for suspicious ticket requests as mentioned in the rule\u0026rsquo;s documentation.\u003c/li\u003e\n\u003cli\u003eExamine host services for suspicious entries as outlined in the original Elastic detection rule using Osquery.\u003c/li\u003e\n\u003cli\u003eMonitor for processes connecting to port 88, filtering out legitimate Kerberos clients like \u003ccode\u003elsass.exe\u003c/code\u003e, using the \u0026ldquo;Detect Kerberos Traffic from Non-Standard Process\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate processes identified by the rule and compare them to the list of legitimate processes to identify unauthorized connections to the Kerberos port.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-03-kerberoasting-unusual-process/","summary":"Detects network connections to the standard Kerberos port from an unusual process other than lsass.exe, potentially indicating Kerberoasting or Pass-the-Ticket activity on Windows systems.","title":"Kerberos Traffic from Unusual Process","url":"https://feed.craftedsignal.io/briefs/2024-01-03-kerberoasting-unusual-process/"}],"language":"en","title":"CraftedSignal Threat Feed — JetBrains","version":"https://jsonfeed.org/version/1.1"}