Multiple threat actors are exploiting the recently disclosed security flaws in JetBrains TeamCity software to deploy ransomware, cryptocurrency miners, Cobalt Strike beacons, and a Golang-based remote access trojan called Spark RAT.
The attacks entail the exploitation of CVE-2024-27198 (CVSS score: 9.8) that enables an adversary to bypass authentication measures and gain administrative control over affected servers.
“The attackers are then able to install malware that can reach out to its command-and-control (C&C) server and perform additional commands such as deploying Cobalt Strike beacons and remote access trojans (RATs),” Trend Micro said in a new report.
“Ransomware can then be installed as a final payload to encrypt files and demand ransom payments from victims.”
Following public disclosure of the flaw earlier this month, it has been weaponized by threat actors associated with BianLian and Jasmin ransomware families, as well as to drop the XMRig cryptocurrency miner and Spark RAT.
Organizations relying on TeamCity for their CI/CD processes are recommended to update their software as soon as possible to safeguard against potential threats.
The development comes as ransomware continues to be both formidable and profitable, with new strains like DoNex, Evil Ant, Lighter, RA World, and WinDestroyer emerging in the wild, even as notorious cybercrime crews like LockBit are still accepting affiliates into their program despite law enforcement actions against them.
WinDestroyer, in particular, stands out for its ability to encrypt files and render targeted systems unusable with no means to recover the data, raising the possibility that the threat actors behind it are geopolitically motivated.
“One of the major issues when tackling ransomware crime is the nature of the affiliate program, with actors often working for multiple RaaS outfits at a time,” Cisco Talos said. “It’s going to take persistent, strategic efforts to significantly damage RaaS operations and weaken the regenerative power of these gangs.”
Data shared by the U.S. Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3) shows that 2,825 ransomware infections were reported in 2023, causing adjusted losses of more than $59.6 million. Of these, 1,193 came from organizations belonging to a critical infrastructure sector.
The top five ransomware variants impacting critical infrastructure in the U.S. include LockBit, BlackCat (aka ALPHV or Noberus), Akira, Royal, and Black Basta.
Besides offering a bigger chunk of the proceeds to court affiliates, the landscape is witnessing increased collaboration between different ransomware groups that share their malicious tooling with each other.
These partnerships also manifest in the form of ghost groups, in which one ransomware operation outsources its skills to another, as seen in the case of Zeon, LockBit, and Akira.
Broadcom-owned Symantec, in a report published last week, revealed that “ransomware activity remains on an upward trend despite the number of attacks claimed by ransomware actors decreasing by slightly more than 20% in the fourth quarter of 2023.”
According to statistics published by NCC Group, the total number of ransomware cases in February 2024 increased by 46% from January, up from 285 to 416, led by LockBit (33%), Hunters (10%), BlackCat (9%), Qilin (9%), BianLian (8%), Play (7%), and 8Base (7%).
“Recent law enforcement activity has the potential to polarize the ransomware landscape, creating clusters of smaller RaaS operators that are highly active and harder to detect due to their agility in underground forums and markets,” Matt Hull, global head of threat intelligence at NCC Group, said.
“It appears that the attention drawn by the larger ‘brand’ ransomware, such as LockBit and Cl0p, is leading to new and small generic RaaS affiliate partnerships becoming the norm. As a result, detection and attribution could become harder, and affiliates may easily switch providers due to low entry thresholds and minimal monetary involvement.”
Indeed, smaller RaaS upstarts like Cloak, Medusa, and RansomHub are capitalizing on the high-profile law enforcement takedowns to fill the vacuum and recruit affiliates through advertisements on dark web forums such as UFO Labs and RAMP.
“Ransomware groups, including RaaS groups, most frequently rebrand or splinter as a means of continuing operations in the wake of law enforcement scrutiny,” GuidePoint Security said. “Affiliates, by comparison, face a marketplace of competing RaaS groups with a limited talent pool of affiliates from which to draw.”
“Recent increases in advertisements for affiliates may indicate continued limitations in available human resources, growing distrust in particular RaaS groups or the RaaS operating model, or impacted groups that do not intend to continue operations.”
This has also been complemented by threat actors finding novel ways to infect victims by mainly exploiting vulnerabilities in public-facing applications and evade detection, as well as refining their tactics by increasingly banking on legitimate software and living-off-the-land (LotL) techniques.
Also popular among ransomware attackers are utilities like TrueSightKiller, GhostDriver, and Terminator, which leverage the Bring Your Own Vulnerable Driver (BYOVD) technique to disable security software.
“BYOVD attacks are attractive to threat actors, as they can provide a means by which to disable AV and EDR solutions at the kernel level,” Sophos researchers Andreas Klopsch and Matt Wixey said in a report this month. “The sheer amount of known vulnerable drivers means that attackers have a wealth of options to choose from.”
Other defense evasion software used by LockBit, Mimic, Phobos Royal, and Ryuk to disable security security products comprise Defender Control, Process Hacker, and GMER.
“Because these tools are those that can be used by ordinary users for legitimate purposes, there are limits to detecting and blocking these with just anti-malware products,” the AhnLab Security Intelligence Center (ASEC) said.
