BianLian Hackers Hijacked TeamCity Servers To Install GO Backdoor

12 March 2024

BianLian attackers exploited a TeamCity vulnerability (CVE-2024-27198 or CVE-2023-42793) to gain initial access and move laterally within the network. They deployed a PowerShell backdoor disguised as legitimate tools that use two-layer obfuscation with encryption and string substitution to communicate with a Command and Control (C2) server. Researchers at Guidepoint Security linked this backdoor to the BianLian group based on its functionalities, SSL communication, and communication with a server identified as running BianLian’s GO backdoor. Escalating Threat: From TeamCity Breach to PowerShell Backdoor After Attackers exploited a TeamCity vulnerability (CVE-2024-27198 or CVE-2023-42793) to gain initial access, attackers used various Windows commands to discover the network and pivot to two build servers. Legitimate Winpty tools were abused to run commands and deploy malicious tools, including a PowerShell script (web.ps1).

Source: GBHackers

Date:

12 March 2024

Categorie(s):

NEWS

Tag(s):

Backdoors, BianLian, Cyber Attack, Cyber Security News, Cyber Threats

Urgent: Critical WordPress Plugin Vulnerability Exposes Over 4 Million Sites18 November 2024
Evaluating GRC tools18 November 2024
ScubaGear: Open-source tool to assess Microsoft 365 configurations for security gaps18 November 2024
How and where to report cybercrime: What you need to know18 November 2024
Teen serial swatter-for-hire busted, pleads guilty, could face 20 years18 November 2024