Russian state-sponsored hackers have been exploiting CVE-2023-42793 to target unpatched, internet-facing JetBrains TeamCity servers since September 2023, US, UK and Polish cybersecurity and law enforcement authorities have warned.
The targets
APT 29 (aka CozyBear, aka Midnight Blizzard), believed to be associated with the Russian Foreign Intelligence Service (SVR), has been active since 2013.
The group is known for targeting a wide variety of organizations: government agencies, think tanks, political organizations, diplomatic agencies, biomedical and energy companies, as well as IT companies. Their main goal seems to be the collection of foreign intelligence.
“In April 2021, the U.S. Government attributed a supply chain operation targeting the SolarWinds information technology company and its customers to the SVR. This attribution marked the discovery that the SVR had, since at least 2018, expanded the range of its cyber operations to include the widespread targeting of information technology companies. At least some of this targeting was aimed at enabling additional cyber operations,” the authorities explained.
“In this newly attributed operation targeting networks hosting TeamCity servers, the SVR demonstrably continues its practice of targeting technology companies,” they added. Though, as they noted, this time around, “the victim types do not fit into any sort of pattern or trend, aside from having an unpatched, Internet-reachable JetBrains TeamCity server.”
These attacks seem to be opportunistic in nature and hit disparate organizations in the US, Europe, Asia, and Australia: “an energy trade association; companies that provide software for billing, medical devices, customer care, employee monitoring, financial management, marketing, sales, and video games; as well as hosting companies, tools manufacturers, and small and large IT companies.”
Fortinet has also published details about their investigation of a recent intrusion at a US-based organization in the biomedical manufacturing industry, which they believe may be the work of APT 29.
The attacks
In these latest attacks, APT 29 has exploited CVE-2023-42793, an authentication bypass vulnerability in the TeamCity CI/CD platform that can lead to RCE.
Patches for it have been released in mid-September 2023, but there are still nearly 800 JetBrains TeamCity unpatched instances worldwide, according to the Shadowserver Foundation.
After gaining initial access by exploiting the vulnerability, the hackers performed host and network reconnaissance, escalated their privileges, performed lateral moves, deployed backdoors, and took steps to ensure long-term access to the compromised network environments. They used a number of tactics to avoid detection.
“Software developers use TeamCity software to manage and automate software compilation, building, testing, and releasing. If compromised, access to a TeamCity server would provide malicious actors with access to that software developer’s source code, signing certificates, and the ability to subvert software compilation and deployment processes—access a malicious actor could further use to conduct supply chain operations,” the agencies noted in the security advisory.
Still, they say that APT 29 has not yet used its accesses to software developers to access customer networks.
Checking for evidence of compromise
The agencies’ advisory contains indicators of compromise (log file entries, files, IP addresses) and lays out the techniques used by the attackers.
Security teams at organizations that have failed to patch their TeamCity servers in time should check for signs of intrusion, both by APT 29 and other attackers.
According to Microsoft, since early October Korea-backed hacking groups Lazarus and Andariel have also been exploiting CVE-2023-42793 to gain permanent access to compromised networks and use them for further operations.