The recently patched TeamCity RCE flaw is now under active attack by numerous ransomware gangs. The researchers warn the organizations to patch their systems immediately, suspecting most have already fallen prey to the attacks.
Multiple Ransomware Groups Exploit TeamCity RCE Flaw Despite Patch
In a recent tweet, security and threat intelligence service GreyNoise warned users about the active exploitation attempts against the newly discovered remote code execution vulnerability in JetBrain’s TeamCity software.
TeamCity is a dedicated CI/CD software that currently serves numerous organizations for efficient handling of their source codes and builds. The software currently boasts a huge clientele, including names like Gearbox entertainment, Gradle, and Playrix.
According to GreyNoise, they caught numerous attempts to exploit the critical TeamCity RCE flaw (CVE-2023-42793) from numerous ransomware groups. In fact, they even warned the organizations to consider their networks already infiltrated if they not had patched their systems in time.
???? 35 malicious IPs seen doing internet-wide attempts at digging into JetBrains TeamCity installs. You and your org are 100% REDACTED if you had any of these on the internet and not patched in the last ~48hrs. pic.twitter.com/2kJgqozixB
— GreyNoise (@GreyNoiseIO) September 29, 2023
Besides GreyNoise, another cybersecurity service PRODAFT also issued a similar warning as their security tool detected numerous exploits in a period of three days. While it’s unclear if the organizations have already fallen a victim to the ransomware attacks, the researchers suspect that those firms might have to suffer “a huge headache” in the coming days.
????Many popular ransomware groups started to weaponize CVE-2023-42793 and added the exploitation phase in their workflow.
Our #BLINDSPOT platform has detected multiple organizations already exploited by threat actors over the last three days. Unfortunately, most of them will…
— PRODAFT (@PRODAFT) October 1, 2023
PRODAFT’s prediction for a chaotic situation among the affected organizations sounds highly plausible. There have been numerous cases in the past where the attackers remained dormant on the victim networks before executing the ransomware. This tactic gives enough time to the threat actors for surveillance, gaining persistence, and ensuring that the victims are left with no other option but to fulfil the attackers’ demands.
Users Should Remain Vigilant
JetBrain recently patched the critical TeamCity vulnerability following Sonar researchers’ report, with TeamCity On-Premises version 2023.05.4. However, given the users often neglect prompt system updates, the vulnerable systems have now become prone to ransomware attacks.
Regardless, users must ensure patching their systems with latest TeamCity releases to avoid the threats. In addition, all TeamCity customer firms should run thorough network security scans to ensure no malicious infiltration.
Let us know your thoughts in the comments.