JetBrains TeamCity Mass Exploitation Underway, Rogue Accounts Thrive
Attacks targeting two security vulnerabilities in the TeamCity CI/CD platform have begun in earnest just days after its developer, JetBrains, disclosed the flaws on March 3.
One of the vulnerabilities (identified as CVE-2024-27198) has a near-maximum severity CVSS rating of 9.8 out of 10 and is an authentication bypass issue in TeamCity’s Web component. Researchers from Rapid7 who discovered the vulnerability and reported it to JetBrains have described it as enabling a remote unauthenticated attacker to execute arbitrary code to take complete control of affected instances.
30,000 organizations use TeamCity to automate build, testing and deployment processes for software projects in CI/CD environments. Like other recent TeamCity flaws — such as CVE-2024-23917 in February 2024, and CVE-2023-42793, which Russia’s Midnight Blizzard group used in attacks last year (it is also known for the infamous SolarWinds supply chain attacks), the two new ones have stoked considerable concern.
Analysis from our SOC team
JetBrains released a new version of the software, 2023.11.4, to fix the two vulnerabilities. It also published a security patch plugin so that customers who are unable to upgrade can still patch their environment.
If you require assistance with your vulnerability management, do not hesitate to contact our SOC.
VMware released multiple vulnerabilities that allow attackers to break out of sandbox and hypervisor protections in all versions, including out-of-support ones, of VMware ESXi, Workstation, Fusion, and Cloud Foundation products. In total, four vulnerabilities are released with two of them having a score of 9.3. The vulnerabilities are extremely serious because they undermine the fundamental purpose of the VMware products, which is to run sensitive operations inside a virtual machine that’s segmented from the host machine.
Tracked as CVE-2024-22252 and CVE-2024-22253, the vulnerabilities have been described as use-after-free bugs in the XHCI USB controller. « A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host, » the company said in a new advisory. « On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed. »
Analysis from our SOC team
We recommend to install the latest available updates. Patches can be found in the VMware advisory: https://www.vmware.com/security/advisories/VMSA-2024-0006.html
If you require assistance with your vulnerability management, do not hesitate to contact our SOC.
On 6 March, the European Parliament and the Belgian Presidency of the Council of the European Union stroke a provisional political agreement to strengthen cybersecurity capacities in the EU, on the Cyber Solidarity Act, as well as on the targeted amendment to the Cyber Security Act (CSA), forming part of the so-called “Cyber Solidarity Package”.
The CCB welcomes these provisional agreements and emphasizes their contribution to reinforcing capacities to respond to large-scale cybersecurity incidents and promoting mutual solidarity among EU Member States, as well as fostering the emergence of trusted cybersecurity service providers, avoiding fragmentation of the internal market for managed security services.
Analysis from our SOC team
The « Cyber Solidarity Package » will enhance EU cybersecurity capacities and promote mutual solidarity among Member States. The principle of a « European SOC » is very exciting, and it will now be interesting to follow its implementation closely.
Don’t hesitate to contact us to make use of the expertise from our awareness team.
Recent efforts by Telenet and Proximus have drastically reduced the influx of suspicious text messages, with Proximus alone intercepting 16 million scam messages, as announced by Telecom Minister Petra De Sutter.
These messages, designed to trick recipients into divulging personal information or transferring money, have been effectively blocked thanks to a new platform utilizing AI and machine learning algorithms. Dubbed the ‘Stop Smishing project,’ this initiative, part of the national recovery plan, is a collaboration between the Centre for Cybersecurity Belgium (CCB) and BIPT, spearheaded by Minister De Sutter.
Analysis from our SOC team
Although the reduction in the number of fraudulent messages is an important result, it is essential to maintain a high level of vigilance.
Suspicious messages can be forwarded to any of the three email addresses from Safeonweb.
– verdacht@safeonweb.be
– suspect@safeonweb.be
– suspicious@safeonweb.be
Our SOC is also available to assist in case there are any doubts or suspicions about text or mail messages.
