The threat actors behind the BianLian ransomware have been observed exploiting security flaws in JetBrains TeamCity software to conduct their extortion-only attacks.
According to a new report from GuidePoint Security, which responded to a recent intrusion, the incident “began with the exploitation of a TeamCity server which resulted in the deployment of a PowerShell implementation of BianLian’s Go backdoor.”
BianLian emerged in June 2022, and has since pivoted exclusively to exfiltration-based extortion following the release of a decryptor in January 2023.
The attack chain observed by the cybersecurity firm entails the exploitation of a vulnerable TeamCity instance using CVE-2024-27198 or CVE-2023-42793 to gain initial access to the environment, followed by creating new users in the build server and executing malicious commands for post-exploitation and lateral movement.
It’s currently not clear which of the two flaws were weaponized by the threat actor for infiltration.
BianLian actors are known to implant a custom backdoor tailored to each victim written in Go, as well as drop remote desktop tools like AnyDesk, Atera, SplashTop, and TeamViewer. The backdoor is tracked by Microsoft as BianDoor.
“BianLian’s backdoor, similar to the encryptor, is written in Go. Its core functionality is more of a loader than a classic backdoor, with its main functionality being downloading and executing additional payloads,” Palo Alto Networks Unit 42 noted in January 2024. “The backdoor contains a hard-coded C2 IP address and port to communicate with.”
“After multiple failed attempts to execute their standard Go backdoor, the threat actor pivoted to living-off-the-land and leveraged a PowerShell implementation of their backdoor, which provides an almost identical functionality to what they would have with their Go backdoor,” security researchers Justin Timothy, Gabe Renfro, and Keven Murphy said.
The obfuscated PowerShell backdoor (“web.ps1”) is designed to establish a TCP socket for additional network communication to an actor-controlled server, allowing the remote attackers to conduct arbitrary actions on an infected host.
“The now-confirmed backdoor is able to communicate with the [command-and-control] server and asynchronously execute based on the remote attacker’s post-exploitation objectives,” the researchers said.
The disclosure comes as VulnCheck detailed fresh proof-of-concept (PoC) exploits for a critical security flaw impacting Atlassian Confluence Data Center and Confluence Server (CVE-2023-22527) that could lead to remote code execution in a fileless manner and load the Godzilla web shell directly into memory.
The flaw has since been weaponized to deploy C3RB3R ransomware, cryptocurrency miners and remote access trojans over the past two months, indicating widespread exploitation in the wild.
“There’s more than one way to reach Rome,” VulnCheck’s Jacob Baines noted. “While using freemarker.template.utility.Execute appears to be the popular way of exploiting CVE-2023-22527, other more stealthy paths generate different indicators.”
