Security
Headlines
HeadlinesLatestCVEs

Headline

North Korean State Actors Attack Critical Bug in TeamCity Server

Known threat groups Diamond Sleet and Onyx Sleet focus on cyber espionage, data theft, network sabotage, and other malicious actions, Microsoft says.

DARKReading
#vulnerability#microsoft#git#backdoor#rce#auth

Two North Korean state-backed threat groups, whom Microsoft is tracking as Diamond Sleet and Onyx Sleet, are actively exploiting CVE-2023-42793, a critical remote code execution (RCE) bug in on-premises versions of JetBrains TeamCity continuous integration and delivery server.

The attackers are leveraging the bug to drop backdoors and other implants for carrying out a wide range of malicious activities, including cyber espionage, data theft, financially motivated attacks, and network sabotage, Microsoft said in a report this week. TeamCity is a platform that some 30,000 organizations — including several major brands like Citibank, Nike, and Ferrari — use to automate software build, test, and deployment processes.

Critical Authentication Bypass Vulnerability

Based on previous campaigns, Diamond Sleet presents a threat mainly to organizations in IT services, media, and defense-related sectors globally. Onyx Fleet has a somewhat narrower focus and has mostly targeted defense and IT services entities in the US, South Korea, and India. “While the two threat actors are exploiting the same vulnerability, Microsoft observed Diamond Sleet and Onyx Sleet utilizing unique sets of tools and techniques following successful exploitation,” Microsoft said.

JetBrains disclosed CVE-2023-42793 on Sept. 30 and assigned it a near-maximum severity score of 9.8 out of 10 on the CVSS scale. The software vendor described the vulnerability as enabling an unauthenticated attack to perform a RCE attack and gain administrative privileges on an affected, Internet-exposed TeamCity server. The vulnerability is present in all on-premises versions of TeamCity.

ForestTiger Backdoor and Other Payloads

In Diamond Fleet’s attacks targeting the flaw, the threat actor has been using PowerShell to download two malicious payloads from legitimate infrastructure that the threat actor appears to have compromised previously. One of the payloads is a backdoor dubbed ForestTiger that the attacker uses to run scheduled tasks on compromised systems and also to dump credentials. The other malicious payload is a configuration file for the malware that contains information on its command-and-control (C2) infrastructure and other parameters.

Microsoft said it also observed Diamond Sleet actors leveraging PowerShell to download a malicious dynamic link library (DLL), a technique that threat actors often use to execute unauthorized code on compromised systems.

Meanwhile, Onyx Sleet’s tactic after exploiting CVE-2023-42793 has been to create a new user account on compromised systems with a name that appears designed to impersonate the legitimate Kerberos Ticket Granting Ticket Account, Microsoft said. The attacker has then been adding the account to the Local Administrators Group and using it to download and decrypt an embedded Portable Executable (PE) resource which is then loaded and launched in memory. “The inner payload is a proxy tool that helps establish a persistent connection between the compromised host and attacker-controlled infrastructure,” Microsoft noted.

Trivial to Find and Exploit

Stefan Schiller, vulnerability researcher at Sonar, which discovered and reported CVE-2023-42793 to JetBrains, says the vulnerability is very easy for a threat actor to find and abuse. The version of a TeamCity instance can be determined by simply visiting the login page and determining whether the specific version is 2023.05.3 and below, which would mean it is vulnerable. “Once a vulnerable instance is identified, the exploitation is straightforward. Neither authentication nor any kind of user interaction is necessary to exploit the vulnerability,” Schiller says.

Due to the nature of the vulnerability, its exploitation is also very reliable. “This makes it very likely that all publicly exposed, vulnerable instances are successfully exploited,” he says.

The attacks are the latest manifestation of growing threat actor interest in software development pipelines as an initial access vector and avenue for stealing source code and secrets from companies and for potentially poisoning software and apps in SolarWinds-like fashion.

Vulnerabilities such as CVE-2023-42793 in a CI/CD platform enable supply chain attacks that can have far reaching consequences, says Henrik Plate, security researcher at application security company Endor Labs. It’s often not just the organization using the affected software that feels the impact but also any downstream users that might download and execute software built on the system. “The worst-case scenario is probably one where attackers silently manipulate the software created by TeamCity, as this would affect all the users running such infected software,” he says. “Such attacks are comparable to the SolarWinds incident, where compromised versions of SolarWinds were downloaded and run by numerous organizations.”

Addressing Supply Chain Risks

At a high-level, software organizations should try and establish a traceable and verifiable link between the source code and the final build artifact that will be distributed to consumers, Plate says. They need to be able to answers questions like what version of the source code was used as input, which tools were used to compile and transform the various inputs, and what were their configurations. Resources such as the SLSA project and NIST’s Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD Pipeline offer actionable advice on the steps software teams can take to address CI/CD security, Plate notes.

In addition, implementing practices such as Reproducible builds can help in post-compromise situations, because they produce bit-identical software artifacts, as long as the same inputs and environment are used. “However, making builds reproducible can take a considerable effort and must have been put in place before the incident,” Plate says.

JetBrains released a fixed version of TeamCity (version 2023.05.4) at time of vulnerability disclosure and strongly urged organizations to upgrade to it, to mitigate exposure to the threat. The company also released a security patch that organizations — which cannot update to the new version immediately — can plug in to their existing TeamCity version to address the RCE.

Related news

CISA Warns of Threat Actors Exploiting F5 BIG-IP Cookies for Network Reconnaissance

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that it has observed threat actors leveraging unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to conduct reconnaissance of target networks. It said the module is being used to enumerate other non-internet-facing devices on the network. The agency, however, did not disclose who

Critical JetBrains TeamCity On-Premises Flaw Exposes Servers to Takeover - Patch Now

JetBrains is alerting customers of a critical security flaw in its TeamCity On-Premises continuous integration and continuous deployment (CI/CD) software that could be exploited by threat actors to take over susceptible instances. The vulnerability, tracked as CVE-2024-23917, carries a CVSS rating of 9.8 out of 10, indicative of its severity. "The vulnerability may enable an unauthenticated

Russian APT29 Hacked US Biomedical Giant in TeamCity-Linked Breach

By Waqas Polish authorities and FortiGuard Labs have issued a warning to customers about a new wave of cyberattacks associated with TeamCity. This is a post from HackRead.com Read the original post: Russian APT29 Hacked US Biomedical Giant in TeamCity-Linked Breach

Russian SVR-Linked APT29 Targets JetBrains TeamCity Servers in Ongoing Attacks

Threat actors affiliated with the Russian Foreign Intelligence Service (SVR) have targeted unpatched JetBrains TeamCity servers in widespread attacks since September 2023. The activity has been tied to a nation-state group known as APT29, which is also tracked as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes. It's notable for the supply chain

Lazarus Group Using Log4j Exploits to Deploy Remote Access Trojans

The notorious North Korea-linked threat actor known as the Lazarus Group has been attributed to a new global campaign that involves the opportunistic exploitation of security flaws in Log4j to deploy previously undocumented remote access trojans (RATs) on compromised hosts. Cisco Talos is tracking the activity under the name Operation Blacksmith, noting the use of three DLang-based

North Korean Hackers Distribute Trojanized CyberLink Software in Supply Chain Attack

A North Korean state-sponsored threat actor tracked as Diamond Sleet is distributing a trojanized version of a legitimate application developed by a Taiwanese multimedia software developer called CyberLink to target downstream customers via a supply chain attack. "This malicious file is a legitimate CyberLink application installer that has been modified to include malicious code that downloads,

October 2023: back to Positive Technologies, Vulristics updates, Linux Patch Wednesday, Microsoft Patch Tuesday, PhysTech VM lecture

Hello everyone! October was an interesting and busy month for me. I started a new job, worked on my open source Vulristics project, and analyzed vulnerabilities using it. Especially Linux vulnerabilities as part of my new Linux Patch Wednesday project. And, of course, analyzed Microsoft Patch Tuesday as well. In addition, at the end of […]

Microsoft Warns of North Korean Attacks Exploiting TeamCity Flaw

North Korean threat actors are actively exploiting a critical security flaw in JetBrains TeamCity to opportunistically breach vulnerable servers, according to Microsoft. The attacks, which entail the exploitation of CVE-2023-42793 (CVSS score: 9.8), have been attributed to Diamond Sleet (aka Labyrinth Chollima) and Onyx Sleet (aka Andariel or Silent Chollima). It's worth noting that both the

CISA Warns of Active Exploitation of JetBrains and Windows Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added two security flaws to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation, while removing five bugs from the list due to lack of adequate evidence. The vulnerabilities newly added are below - CVE-2023-42793 (CVSS score: 9.8) - JetBrains TeamCity Authentication Bypass Vulnerability

JetBrains TeamCity Unauthenticated Remote Code Execution

This Metasploit module exploits an authentication bypass vulnerability to achieve unauthenticated remote code execution against a vulnerable JetBrains TeamCity server. All versions of TeamCity prior to version 2023.05.4 are vulnerable to this issue. The vulnerability was originally discovered by SonarSource.

JetBrains Patches Severe TeamCity Flaw Allowing RCE and Server Hijacking

By Deeba Ahmed JetBrains has fixed this flaw in version 2023.05.4 of the product released on September 18. It also released a security advisory but didn't disclose technical details of the vulnerability for now. This is a post from HackRead.com Read the original post: JetBrains Patches Severe TeamCity Flaw Allowing RCE and Server Hijacking

Critical JetBrains TeamCity Flaw Could Expose Source Code and Build Pipelines to Attackers

A critical security vulnerability in the JetBrains TeamCity continuous integration and continuous deployment (CI/CD) software could be exploited by unauthenticated attackers to achieve remote code execution on affected systems. The flaw, tracked as CVE-2023-42793, carries a CVSS score of 9.8 and has been addressed in TeamCity version 2023.05.4 following responsible disclosure on September 6,

DARKReading: Latest News

Apple Urgently Patches Actively Exploited Zero-Days