The US (269), Germany (267), and Russia (191) were the most infected (admin accounts created) countries in a list shared by LeakIX. They had 330, 302, and 221 unpatched systems respectively at the last count.
“There are between 3 and 300 users created on compromised instances, usually the pattern is 8 alphanum characters,” LeakIX reportedly said.
The disclosure spat
Rapid7 believed the vulnerabilities were critical and released full technical details shortly after the patches were released, recommending immediate patching.
“TeamCity has been a popular target for attackers, including state-sponsored groups, over the past six months or so,” said Caitlin Condon, director of vulnerability intelligence at Rapid7.
“Both vulnerabilities Rapid7 discovered in TeamCity are authentication bypasses; the first (CVE-2024-27198) is critical and allows for unauthenticated remote code execution, which in turn gives potential attackers control over TeamCity builds, agents, artifacts, and so on,” Condon added. “The second vulnerability (CVE-2024-27199) is high-severity instead of critical, and allows for limited information disclosure and/or system modification, including the ability for an unauthenticated attacker to replace the HTTPS certificate in a vulnerable TeamCity server with a certificate of the attacker’s choosing.”
However, in the security release for these vulnerabilities, JetBrains had indicated that the company was rushed into disclosing the issues by Rapid7 as the latter chose to strictly abide by its own vulnerability disclosure policy and was about to publish full technical details shortly.