Threat actors behind the BianLian ransomware operation have added two security flaws in JetBrains TeamCity software to their arsenal.

Last week, security researchers warned that two recently disclosed vulnerabilities (CVE-2024-27198 and CVE-2024-27199) in JetBrains’ TeamCity On-Premises continuous integration and continuous delivery (CI/CD) server are targeted by threat actors. The flaws impact all TeamCity On-Premises versions through 2023.11.3. The issues have been fixed in version 2023.11.4. Multiple researchers said they have observed attempts to exploit CVE-2024-27198, with the first attacks spotted on March 5, 2024.

The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-27198 to its Known Exploited Vulnerabilities (KEV) catalog, indicating that the flaw is targeted in the wild.

GuidePoint's Digital Forensics and Incident Response (DFIR) team said it spotted malicious activity while investigating an incident within a client's network, involving tactics associated with the BianLian ransomware group that switched to extortion-only attacks last year.

The threat actor leveraged CVE-2024-27198 or CVE-2023-42793 to gain initial access to the victim environment. The researchers said they were not able to determine which CVE the threat actor precisely exploited. The attacker then created users in TeamCity, executed malicious commands under the TeamCity product's service account, and deployed a PowerShell backdoor.

Once inside the victim's environment, the threat actor used native Windows commands to identify additional infrastructure and created a new account on one of the build servers and integrated it into user groups, further deepening their foothold within the network. The malicious activity was detected when the threat actor attempted a Security Accounts Manager (SAM) credential dumping technique, triggering alerts from security solutions.

In response to failed attempts to execute their standard Go-based backdoor, the BianLian pivoted to a PowerShell version of the backdoor, which mirrored the functionalities of the original trojan.

This tool allowed the threat actor to remotely conduct operations on infected systems while concealing their activities within an encrypted tunnel. Notably, this implementation also mirrored BianLian's use of certificates for authentication, a characteristic often utilized by security researchers to identify the group's infrastructure.