Software developers who work with the continuous integration and deployment tool TeamCity should immediately update their systems. Attackers are currently using two “critical“Vulnerabilities in on-premises versions.
Advertisement
Admins vulnerabilities
If attacks work, attackers gain admin rights. In such a position, they can inject malicious code into existing software projects. If the manipulated software comes into circulation, the malicious code continues to spread. Ultimately, everyone who uses the software unknowingly gets a Trojan on their systems. A supply chain attack like this has far-reaching consequences.
The on-premises version 2023.11.4, which is protected against this, is already available. According to the provider, the cloud edition of TeamCity is already equipped to combat this. Security researchers at Rapid7 break down the two vulnerabilities (CVE-2024-27198, CVE-2024-27199) in detail.
Ongoing attacks
Apparently many admins haven't updated their systems yet. In addition, TeamCity instances are publicly accessible via the Internet. According to the results of the search engine LeakIX, around 1,700 instances worldwide are accessible and vulnerable. There are over 330 of these systems in Germany. The USA follows closely behind with around 300 instances.
According to security researchers, more than 1,400 systems worldwide have already been compromised. The attacks are currently increasing rapidly and admins should act immediately and install the edition that is protected against the attacks.
In order to reduce the attack surface, software distribution systems should only be publicly connected to the Internet when there is really no other option. If this is the case, access must be secured, for example via VPN.
(of the)