Hundreds of Rogue Users Added to Unpatched TeamCity Servers

Written by

Security experts have warned that threat actors are now exploiting a critical TeamCity vulnerability en masse, creating hundreds of new user accounts on compromised servers.

TeamCity is a popular CI/CD developer tool from Czech outfit JetBrains. Rapid7 published exploit details of two new vulnerabilities in the product earlier this week.

These include CVE-2024-27198: an authentication bypass vulnerability in the web component of TeamCity which has a CVSS base score of 9.8. It could enable “complete compromise of a vulnerable TeamCity server by a remote unauthenticated attacker, including unauthenticated remote code execution (RCE),” according to Rapid7.

Cybersecurity firm LeakIX revealed in a post on X (formerly Twitter) yesterday that it found 1711 vulnerable TeamCity instances in its last scan. Of these, 1442 (84%) showed “clear signs of rogue user creation,” it added.

In a separate post, the firm revealed that it had observed “hundreds” of these user accounts being created by attackers “for later use across the internet.”

This could have a major knock-on effect across the web, as TeamCity plays a key role for many organizations in helping developers create and deploy software.

“Compromising a TeamCity server allows an attacker full control over all TeamCity projects, builds, agents and artifacts, and as such is a suitable vector to position an attacker to perform a supply chain attack,” Rapid7 warned on Monday.

Sysadmins have been urged by JetBrains and Rapid7 to upgrade their on-premises TeamCity servers without delay to avoid such an eventuality. However, for many it may be too late.

Read more on TeamCity vulnerabilities: Patched Critical Flaw Exposed JetBrains TeamCity Servers

“If you were/are still running a vulnerable system, assume compromise,” LeakIX warned.

The JetBrains product has been the target of Russian state actors in the past.

In December last year, a joint advisory from agencies in the US, UK and Poland warned that Cozy Bear (APT29) had “been targeting servers hosting JetBrains TeamCity software since September 2023.”

What’s hot on Infosecurity Magazine?