BianLian threat actors use JetBrains TeamCity flaws in ransomware attacks.

BianLian threat actors use JetBrains TeamCity flaws in ransomware attacks.

The threat actors behind the BianLian ransomware have been discovered using security holes in JetBrains TeamCity software to carry out extortion-only assaults.

According to a new GuidePoint Security report on a recent attack, the event “began with the exploitation of a TeamCity server, which resulted in the deployment of a PowerShell implementation of BianLian’s Go backdoor.”

BianLian debuted in June 2022 and has since focused solely on exfiltration-based extortion since the introduction of a decryptor in January 2023.

The cybersecurity firm observed an attack chain that involved exploiting a vulnerable TeamCity instance using CVE-2024-27198 or CVE-2023-42793 to gain initial access to the environment, then creating new users in the build server and executing malicious commands for post-exploitation and lateral movement.

It is still unclear which of the two weaknesses was used by the threat actor for penetration.

A proof-of-concept exploit has been released for Progress Software OpenEdge Vulnerability

BianLian actors are reported to implant a bespoke backdoor written in Go for each victim, as well as remote desktop applications such as AnyDesk, Atera, SplashTop, and TeamViewer. Microsoft tracks the backdoor as BianDoor.

“After multiple failed attempts to execute their standard Go backdoor, the threat actor pivoted to living-off-the-land and leveraged a PowerShell implementation of their backdoor, which provides almost identical functionality to what they would have with their Go backdoor,” security researchers Justin Timothy, Gabe Renfro, and Keven Murphy said.

The obfuscated PowerShell backdoor (“web.ps1”) is intended to open a TCP socket for extra network connection with an actor-controlled server, enabling remote attackers to execute arbitrary activities on an affected machine.

“The now-confirmed backdoor is able to communicate with the [command-and-control] server and asynchronously execute based on the remote attacker’s post-exploitation objectives,” the authors of the study said.

Magnet Goblin Hacker Group Uses One-Day Exploits to Deploy Nerbian RAT

The disclosure comes as VulnCheck details new proof-of-concept (PoC) exploits for a critical security flaw affecting Atlassian Confluence Data Center and Confluence Server (CVE-2023-22527), which could allow remote code execution in a fileless manner and load the Godzilla web shell directly into memory.

Over the last two months, the issue has been used to distribute C3RB3R ransomware, bitcoin miners, and remote access trojans, suggesting extensive exploitation.

“There’s more than one way to reach Rome,” VulnCheck’s Jacob Baines said. “While using freemarker.template.utility.Execute appears to be the popular way of exploiting CVE-2023-22527, other more stealthy paths generate different indicators.”


Scroll to Top