North Korean State Actors Attack Critical Bug in TeamCity Server

Two North Korean state-backed threat groups, whom Microsoft is tracking as Diamond Sleet and Onyx Sleet, are actively exploiting CVE-2023-42793, a critical remote code execution (RCE) bug in on-premises versions of JetBrains TeamCity continuous integration and delivery server.

The attackers are leveraging the bug to drop backdoors and other implants for carrying out a wide range of malicious activities, including cyber espionage, data theft, financially motivated attacks, and network sabotage, Microsoft said in a report this week. TeamCity is a platform that some 30,000 organizations — including several major brands like Citibank, Nike, and Ferrari — use to automate software build, test, and deployment processes.

Critical Authentication Bypass Vulnerability

Based on previous campaigns, Diamond Sleet presents a threat mainly to organizations in IT services, media, and defense-related sectors globally. Onyx Fleet has a somewhat narrower focus and has mostly targeted defense and IT services entities in the US, South Korea, and India. “While the two threat actors are exploiting the same vulnerability, Microsoft observed Diamond Sleet and Onyx Sleet utilizing unique sets of tools and techniques following successful exploitation,” Microsoft said.

JetBrains disclosed CVE-2023-42793 on Sept. 30 and assigned it a near-maximum severity score of 9.8 out of 10 on the CVSS scale. The software vendor described the vulnerability as enabling an unauthenticated attack to perform a RCE attack and gain administrative privileges on an affected, Internet-exposed TeamCity server. The vulnerability is present in all on-premises versions of TeamCity.

ForestTiger Backdoor and Other Payloads

In Diamond Fleet’s attacks targeting the flaw, the threat actor has been using PowerShell to download two malicious payloads from legitimate infrastructure that the threat actor appears to have compromised previously. One of the payloads is a backdoor dubbed ForestTiger that the attacker uses to run scheduled tasks on compromised systems and also to dump credentials. The other malicious payload is a configuration file for the malware that contains information on its command-and-control (C2) infrastructure and other parameters.

Microsoft said it also observed Diamond Sleet actors leveraging PowerShell to download a malicious dynamic link library (DLL), a technique that threat actors often use to execute unauthorized code on compromised systems.

Meanwhile, Onyx Sleet’s tactic after exploiting CVE-2023-42793 has been to create a new user account on compromised systems with a name that appears designed to impersonate the legitimate Kerberos Ticket Granting Ticket Account, Microsoft said. The attacker has then been adding the account to the Local Administrators Group and using it to download and decrypt an embedded Portable Executable (PE) resource which is then loaded and launched in memory. “The inner payload is a proxy tool that helps establish a persistent connection between the compromised host and attacker-controlled infrastructure,” Microsoft noted.

Trivial to Find and Exploit

Stefan Schiller, vulnerability researcher at Sonar, which discovered and reported CVE-2023-42793 to JetBrains, says the vulnerability is very easy for a threat actor to find and abuse. The version of a TeamCity instance can be determined by simply visiting the login page and determining whether the specific version is 2023.05.3 and below, which would mean it is vulnerable. “Once a vulnerable instance is identified, the exploitation is straightforward. Neither authentication nor any kind of user interaction is necessary to exploit the vulnerability,” Schiller says.

Due to the nature of the vulnerability, its exploitation is also very reliable. “This makes it very likely that all publicly exposed, vulnerable instances are successfully exploited,” he says.

The attacks are the latest manifestation of growing threat actor interest in software development pipelines as an initial access vector and avenue for stealing source code and secrets from companies and for potentially poisoning software and apps in SolarWinds-like fashion.

Vulnerabilities such as CVE-2023-42793 in a CI/CD platform enable supply chain attacks that can have far reaching consequences, says Henrik Plate, security researcher at application security company Endor Labs. It’s often not just the organization using the affected software that feels the impact but also any downstream users that might download and execute software built on the system. “The worst-case scenario is probably one where attackers silently manipulate the software created by TeamCity, as this would affect all the users running such infected software,” he says. “Such attacks are comparable to the SolarWinds incident, where compromised versions of SolarWinds were downloaded and run by numerous organizations.”

Addressing Supply Chain Risks

At a high-level, software organizations should try and establish a traceable and verifiable link between the source code and the final build artifact that will be distributed to consumers, Plate says. They need to be able to answers questions like what version of the source code was used as input, which tools were used to compile and transform the various inputs, and what were their configurations. Resources such as the SLSA project and NIST’s Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD Pipeline offer actionable advice on the steps software teams can take to address CI/CD security, Plate notes.

In addition, implementing practices such as Reproducible builds can help in post-compromise situations, because they produce bit-identical software artifacts, as long as the same inputs and environment are used. “However, making builds reproducible can take a considerable effort and must have been put in place before the incident,” Plate says.

JetBrains released a fixed version of TeamCity (version 2023.05.4) at time of vulnerability disclosure and strongly urged organizations to upgrade to it, to mitigate exposure to the threat. The company also released a security patch that organizations — which cannot update to the new version immediately — can plug in to their existing TeamCity version to address the RCE.