Microsoft Warns of North Korean Attacks Exploiting TeamCity Flaw

North Korean threat actors are actively exploiting a critical security flaw in JetBrains TeamCity to opportunistically breach vulnerable servers, according to Microsoft.

The attacks, which entail the exploitation of CVE-2023-42793 (CVSS score: 9.8), have been attributed to Diamond Sleet (aka Labyrinth Chollima) and Onyx Sleet (aka Andariel or Silent Chollima).

It’s worth noting that both the threat activity clusters are part of the infamous North Korean nation-state actor known as Lazarus Group.

In one of the two attack paths employed by Diamond Sleet, a successful compromise of TeamCity servers is followed by the deployment of a known implant called ForestTiger from legitimate infrastructure previously compromised by the threat actor.

A second variant of the attacks leverages the initial foothold to retrieve a malicious DLL (DSROLE.dll aka RollSling or Version.dll or FeedLoad) that’s loaded by means of a technique referred to as DLL search-order hijacking to either execute a next-stage payload or a remote access trojan (RAT).

Microsoft said it witnessed the adversary leveraging a combination of tools and techniques from both attack sequences in certain instances.

The intrusions mounted by Onyx Sleet, on the other hand, use the access afforded by the exploitation of the JetBrains TeamCity bug to create a new user account named krtbgt that’s likely intended to impersonate the Kerberos Ticket Granting Ticket.

“After creating the account, the threat actor adds it to the Local Administrators Group through net use,” Microsoft said. “The threat actor also runs several system discovery commands on compromised systems.”

The attacks subsequently lead to the deployment of a custom proxy tool dubbed HazyLoad that helps establish a persistent connection between the compromised host and attacker-controlled infrastructure.

Another notable post-compromise action is the use of the attacker-controlled krtbgt account to sign into the compromised device via remote desktop protocol (RDP) and terminating the TeamCity service in a bid to prevent access by other threat actors.

Over the years, the Lazarus group has established itself as one of the most pernicious and sophisticated advanced persistent threat (APT) groups currently active, orchestrating financial crime and espionage attacks in equal measure via cryptocurrency heists and supply chain attacks.

“We certainly believe that North Korean hacking of cryptocurrency around infrastructure, around the world – including in Singapore, Vietnam, and Hong Kong – is a major source of revenue for the regime that’s used to finance the advancing of the missile program and the far greater number of launches we have seen in the last year,” U.S. Deputy National Security Advisor, Anne Neuberger, said.

The development comes as the AhnLab Security Emergency Response Center (ASEC) detailed the Lazarus Group’s use of malware families such as Volgmer and Scout that act as a conduit for serving backdoors for controlling the infected systems.

“The Lazarus group is one of the very dangerous groups that are highly active worldwide, using various attack vectors such as spear-phishing and supply chain attacks,” the South Korean cybersecurity firm said, implicating the hacking crew to another campaign codenamed Operation Dream Magic.

This involves mounting watering hole attacks by inserting a rogue link within a specific article on an unspecified news website that weaponizes security flaws in INISAFE and MagicLine products to activate the infections, a tactic previously associated with the Lazarus Group.

In a further sign of North Korea’s evolving offensive programs, ASEC has attributed another threat actor known as Kimsuky (aka APT43) to a fresh set of spear-phishing attacks that utilize the BabyShark malware to install a motley slate of remote desktop tools and VNC software (i.e., TightVNC and TinyNuke) to commandeer victim systems and exfiltrate information.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.