Headline
Microsoft Warns of North Korean Attacks Exploiting TeamCity Flaw
North Korean threat actors are actively exploiting a critical security flaw in JetBrains TeamCity to opportunistically breach vulnerable servers, according to Microsoft. The attacks, which entail the exploitation of CVE-2023-42793 (CVSS score: 9.8), have been attributed to Diamond Sleet (aka Labyrinth Chollima) and Onyx Sleet (aka Andariel or Silent Chollima). It’s worth noting that both the
North Korean threat actors are actively exploiting a critical security flaw in JetBrains TeamCity to opportunistically breach vulnerable servers, according to Microsoft.
The attacks, which entail the exploitation of CVE-2023-42793 (CVSS score: 9.8), have been attributed to Diamond Sleet (aka Labyrinth Chollima) and Onyx Sleet (aka Andariel or Silent Chollima).
It’s worth noting that both the threat activity clusters are part of the infamous North Korean nation-state actor known as Lazarus Group.
In one of the two attack paths employed by Diamond Sleet, a successful compromise of TeamCity servers is followed by the deployment of a known implant called ForestTiger from legitimate infrastructure previously compromised by the threat actor.
A second variant of the attacks leverages the initial foothold to retrieve a malicious DLL (DSROLE.dll aka RollSling or Version.dll or FeedLoad) that’s loaded by means of a technique referred to as DLL search-order hijacking to either execute a next-stage payload or a remote access trojan (RAT).
Microsoft said it witnessed the adversary leveraging a combination of tools and techniques from both attack sequences in certain instances.
The intrusions mounted by Onyx Sleet, on the other hand, use the access afforded by the exploitation of the JetBrains TeamCity bug to create a new user account named krtbgt that’s likely intended to impersonate the Kerberos Ticket Granting Ticket.
“After creating the account, the threat actor adds it to the Local Administrators Group through net use,” Microsoft said. “The threat actor also runs several system discovery commands on compromised systems.”
The attacks subsequently lead to the deployment of a custom proxy tool dubbed HazyLoad that helps establish a persistent connection between the compromised host and attacker-controlled infrastructure.
Another notable post-compromise action is the use of the attacker-controlled krtbgt account to sign into the compromised device via remote desktop protocol (RDP) and terminating the TeamCity service in a bid to prevent access by other threat actors.
Over the years, the Lazarus group has established itself as one of the most pernicious and sophisticated advanced persistent threat (APT) groups currently active, orchestrating financial crime and espionage attacks in equal measure via cryptocurrency heists and supply chain attacks.
“We certainly believe that North Korean hacking of cryptocurrency around infrastructure, around the world – including in Singapore, Vietnam, and Hong Kong – is a major source of revenue for the regime that’s used to finance the advancing of the missile program and the far greater number of launches we have seen in the last year,” U.S. Deputy National Security Advisor, Anne Neuberger, said.
The development comes as the AhnLab Security Emergency Response Center (ASEC) detailed the Lazarus Group’s use of malware families such as Volgmer and Scout that act as a conduit for serving backdoors for controlling the infected systems.
“The Lazarus group is one of the very dangerous groups that are highly active worldwide, using various attack vectors such as spear-phishing and supply chain attacks,” the South Korean cybersecurity firm said, implicating the hacking crew to another campaign codenamed Operation Dream Magic.
This involves mounting watering hole attacks by inserting a rogue link within a specific article on an unspecified news website that weaponizes security flaws in INISAFE and MagicLine products to activate the infections, a tactic previously associated with the Lazarus Group.
In a further sign of North Korea’s evolving offensive programs, ASEC has attributed another threat actor known as Kimsuky (aka APT43) to a fresh set of spear-phishing attacks that utilize the BabyShark malware to install a motley slate of remote desktop tools and VNC software (i.e., TightVNC and TinyNuke) to commandeer victim systems and exfiltrate information.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that it has observed threat actors leveraging unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to conduct reconnaissance of target networks. It said the module is being used to enumerate other non-internet-facing devices on the network. The agency, however, did not disclose who
JetBrains is alerting customers of a critical security flaw in its TeamCity On-Premises continuous integration and continuous deployment (CI/CD) software that could be exploited by threat actors to take over susceptible instances. The vulnerability, tracked as CVE-2024-23917, carries a CVSS rating of 9.8 out of 10, indicative of its severity. "The vulnerability may enable an unauthenticated
By Waqas Polish authorities and FortiGuard Labs have issued a warning to customers about a new wave of cyberattacks associated with TeamCity. This is a post from HackRead.com Read the original post: Russian APT29 Hacked US Biomedical Giant in TeamCity-Linked Breach
Threat actors affiliated with the Russian Foreign Intelligence Service (SVR) have targeted unpatched JetBrains TeamCity servers in widespread attacks since September 2023. The activity has been tied to a nation-state group known as APT29, which is also tracked as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes. It's notable for the supply chain
The notorious North Korea-linked threat actor known as the Lazarus Group has been attributed to a new global campaign that involves the opportunistic exploitation of security flaws in Log4j to deploy previously undocumented remote access trojans (RATs) on compromised hosts. Cisco Talos is tracking the activity under the name Operation Blacksmith, noting the use of three DLang-based
A North Korean state-sponsored threat actor tracked as Diamond Sleet is distributing a trojanized version of a legitimate application developed by a Taiwanese multimedia software developer called CyberLink to target downstream customers via a supply chain attack. "This malicious file is a legitimate CyberLink application installer that has been modified to include malicious code that downloads,
Hello everyone! October was an interesting and busy month for me. I started a new job, worked on my open source Vulristics project, and analyzed vulnerabilities using it. Especially Linux vulnerabilities as part of my new Linux Patch Wednesday project. And, of course, analyzed Microsoft Patch Tuesday as well. In addition, at the end of […]
Known threat groups Diamond Sleet and Onyx Sleet focus on cyber espionage, data theft, network sabotage, and other malicious actions, Microsoft says.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added two security flaws to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation, while removing five bugs from the list due to lack of adequate evidence. The vulnerabilities newly added are below - CVE-2023-42793 (CVSS score: 9.8) - JetBrains TeamCity Authentication Bypass Vulnerability
This Metasploit module exploits an authentication bypass vulnerability to achieve unauthenticated remote code execution against a vulnerable JetBrains TeamCity server. All versions of TeamCity prior to version 2023.05.4 are vulnerable to this issue. The vulnerability was originally discovered by SonarSource.
By Deeba Ahmed JetBrains has fixed this flaw in version 2023.05.4 of the product released on September 18. It also released a security advisory but didn't disclose technical details of the vulnerability for now. This is a post from HackRead.com Read the original post: JetBrains Patches Severe TeamCity Flaw Allowing RCE and Server Hijacking
A critical security vulnerability in the JetBrains TeamCity continuous integration and continuous deployment (CI/CD) software could be exploited by unauthenticated attackers to achieve remote code execution on affected systems. The flaw, tracked as CVE-2023-42793, carries a CVSS score of 9.8 and has been addressed in TeamCity version 2023.05.4 following responsible disclosure on September 6,