Russian APT29 Hacked US Biomedical Giant in TeamCity-Linked Breach

According to cybersecurity researchers at FortiGuard Labs, the Russian intelligence-linked APT29 group exploited a critical TeamCity vulnerability, which had initially been patched in September 2023.

Polish Military Counterintelligence Service (SKW) has released an advisory revealing that Russian Foreign Intelligence Service (SVR) affiliated threat actors are utilizing JetBrains CVE in global targeting.

Here, it is worth noting that TeamCity and JetBrains are closely linked, with TeamCity being a continuous integration (CI) server developed and maintained by JetBrains.

As reported by Hackread.com, the vulnerability, which scored 9.8 by CVSS, was patched in September 2023. However, authorities particularly identified the notorious advanced persistent threat group called APT29, aka the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard, to be exploiting CVE-2023-42793.

The threat actor used Scheduled Tasks to execute GraphicalProton payloads, using rundll32 proxy execution as a defence evasion method. They also used legitimate third-party binaries vulnerable to search order hijacking.

“If compromised, access to a TeamCity server would provide malicious actors with access to that software developer’s source code, signing certificates, and the ability to subvert software compilation and deployment processes—access a malicious actor could further use to conduct supply chain operations” the advisory read.

SKW’s findings are supported by the FortiGuard Labs team of researchers. In their latest blog post, FortiGuard reports that APT29 has targeted a US-based biomedical manufacturing organization (the name of which has not been shared with the media or public) and revealed the threat actor’s TTPs. The report discusses the intrusion of this vulnerability found in TeamCity, a Windows server, by APT29.

Researchers noted that on 6 September 2023, Sonar’s cybersecurity experts discovered a critical TeamCity On-Premises vulnerability (tracked as CVE-2023-42793). This vulnerability was assigned a CVSS score of 9.8 due to its ability to be deployed without authentication. CISA added it to its ‘Known Exploited Vulnerabilities Catalog’ on October 4, 2023.

The FortiGuard Incident Response team reports that in October 2023, a US-based biomedical manufacturing organization was compromised due to this vulnerability exploited by APT29. The attack was initially exploited using a custom-built Python script, matching the GraphicalProton malware used by APT29.

Analysis of application and system logs revealed evidence of successful exploitation, but some threat actors were unsuccessful at running Linux system commands on the victim Windows Server. APT29 likely employed Nuclei to identify potential victims and began executing additional discovery commands to gather system and privilege information.

The US-based tertiary education organization was targeted by APT29 with a C2 IP address discovered by the FortiGuard IR team. They discovered the organization’s infrastructure was compromised and identified an exploitation of their vulnerable TeamCity server.

The threat actor used the TeamCity exploit to install an SSH certificate, which they used to maintain access to another victim’s environment. The actor downloaded a DLL file, ‘AclNumsInvertHost.dll,’ on the TeamCity host and used the TeamCity RCE vulnerability to create a Windows-scheduled task referencing the DLL file for persistence.

The screenshot shows the attack timeline of TeamCity intrusion (Credit: Fortinet Labs)

Despite a patch, the attacker persisted on the compromised host, leveraging their GraphicalProton implant. FortiGuard believes this attack was part of a new APT29 campaign. Significant OPSEC considerations included compromised infrastructure, search order hijacking with legitimate DLLs added, quality of masquerading, and single-use infrastructure components.

Researchers recommend containment and eradication actions, including blocking IP addresses, removing TeamCity software accounts, removing Windows accounts, removing backdoors, and removing malicious files dropped by threat actors to stay protected against threats like GraphicalProton.

****RELATED ARTICLES****

1. Russian Midnight Blizzard Hackers Hit MS Teams in Precision Attack
2. Russian Hackers Employ Telekopye Toolkit in Broad Phishing Attacks
3. Microsoft warns of rising NOBELIUM credential attacks on defence sector
4. Microsoft Outlook Vulnerability Exploited by Russian Forest Blizzard Group
5. Russia Hackers Abusing BRc4 Red Team Penetration Tool in Recent Attacks