Summary:
The BianLian ransomware operators are leveraging vulnerabiities within JetBrains TeamCIty software to orchestrate their attacks, as reported by GuidePoint Security. The incursion typically commences with the exploitation of a vulnerable TeamCity server, resulting in the deployment of a PowerShell iteration of the BianLian ransomware. To achieve initial access, threat actors exploit known vulnerabilities such as CVE-2024-27198 or CVE-2023-42793. Once access is obtained, the attackers proceed by creating new user accounts within the compromised build server, facilitating further malicious actions such as lateral movement and post exploitation activities.

Security Officer Comments:
Notably, BianLian perpetrators tailor a unique backdoor for each victim, typically crafted in the Go programming language. Additionally, they deploy various remote desktop tools like AnyDesk, Atera, SplashTop, and TeamViewer to maintain persistence and facilitate access. In a recent development, security firm VulnCheck disclosed proof-of-concept exploits for a severe vulnerability affecting Atlassian Confluence, denoted as CVE-2023-22527. Exploitation of this flaw has led to the deployment of C3RB3R ransomware, cryptocurrency miners, and remote access trojans over the preceding months, signifying a significant threat landscape.

Suggested Corrections:
BianLian continues to prove how they can adapt to a changing environment, especially in regards to the exploitation of emerging vulnerabilities. Researchers at Guidepoint’s Security’s biggest recommendations focus on preparedness and, more specifically, patching your externally facing applications. Similarly, practicing your incident response plans, moving forward with threat intelligence-informed pentests, and focusing on finding ways to leverage threat intelligence to keep up with current trends in the threat landscape will aid your teams in becoming more effective and efficient at preventing these types of attacks from occurring. A well-informed preventative and preparedness mentality coupled with an extremely effective response capability will ensure that you are ready for anything that BianLian, or any other threat actor, has to throw at you.

Additionally, Guidepoint has published indicators of compromise that can be used to detect and defend against the BianLian ransomware:

https://www.guidepointsecurity.com/blog/bianlian-gos-for-powershell-after-teamcity-exploitation/

The two vulnerabilities leveraged by BianLian to gain initial access can be mitigated with the following options below:

CVE-2024-27198 Team City Suggested Corrections Options: