JetBrains TeamCity under active attack by hackers, patch NOW
Take action: If you are running a self-hosted TeamCity instance and haven't patched it, it's quite possibly hacked. Check for new and unknown users, if there are none consider yourself lucky. Patch or update it IMMEDIATELY. If there is any suspicion of being hacked, isolate the instance and do a forensic cleanup. Revoke code that's been built with the suspicious instance.
Learn More
The critical vulnerability identified in JetBrains TeamCity On-Premises, CVE-2024-27198, is being actively exploited to create unauthorized administrator accounts on the platform. The vulnerability allows attackers to bypass authentication mechanisms and gain administrative access, leading to the creation of hundreds of new users on unpatched TeamCity instances.
The exploitation of this vulnerability poses a significant risk for supply-chain attacks, as compromised TeamCity servers are involved in building and deploying software, potentially giving attackers access to sensitive information or adding malicious components within trusted source code.
As of the 7th of March 2024, LeakIX, a search engine that identifies exposed device misconfigurations and vulnerabilities, has detected 1,711 TeamCity servers that are yet to be updated, with the majority of vulnerable servers located in Germany, the United States, and Russia.
Cybersecurity firms and researchers, have observed a sharp increase in attempts to exploit this vulnerability.
More than 1,440 instances have already been compromised, with hackers creating between 3 and 300 new user accounts on each affected server.
In response to the threat, TeamCity users are advised to monitor their servers for any signs of compromise, including unauthorized user creation and unknown user access tokens. Suspicious activities should prompt an immediate investigation and, if necessary, isolation of the compromised server to prevent further unauthorized access.
