Ransomware operation BianLian has exploited JetBrains TeamCity continuous integration and continuous development platform vulnerabilities, tracked as CVE-2024-27198 and CVE-2024-42793, in new attacks, Security Affairs reports.
Intrusions involved using the flaws to achieve initial compromise, followed by malicious command execution and additional exploitation, a report from GuidePoint Security revealed. While several attempts to deploy a custom GO backdoor were unsuccessful, BianLian was able to succeed in distributing a PowerShell version of the said backdoor through living-off-the-land techniques, according to researchers. Further examination of the PowerShell script revealed function cookies with certain parameters, including one sharing the IP address of the ransomware group's GO backdoor-hosting server. Such a development signifies the adaptive nature of the BianLian ransomware gang amid a continuously evolving threat landscape, researchers said. "This behavior aligns with what GRIT has assessed and hypothesized in our 2024 ransomware report, and we expect this type of behavior to continue to grow, especially for groups that leverage a data-exfiltration-only approach to ransomware," said the report.