Russia’s Foreign Intelligence Service (SVR) is exploiting JetBrains’ TeamCity CI/CD server on a large scale, causing security alarm, according to a report by the U.S. Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), the Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the UK’s National Cyber Security Centre (NCSC). The vulnerability, analogous to the one that facilitated the 2020 attack on SolarWinds, was announced in September.
- The vulnerability delivers enough access to manipulate a software’s source code, sign certificates, and develop and deploy processes, the advisory warns.
- So far, there is no evidence suggesting that the SVR has used the access to launch attacks similar to the SolarWinds case.
- Software supply chain attacks have become particularly desirable for attackers due to the potential delivery of signed malicious code to numerous organizations.
- Authorities foresee more serious attacks as part of a preparatory phase by the SVR. The priorities for the SVR appear to be establishing a footprint in the victims’ environments and deploying command and control (C2) infrastructure that is hard to detect.
- Attackers have also been observed abusing OneDrive, employing GraphicalProton backdoor with layers of encryption, obfuscation, encoders, and stagers, and deploying the Mimikatz toolkit.
Despite JetBrains releasing patches in September, data from Shadowserver suggests that around 800 TeamCity instances are still exposed to CVE-2023-42793 exploits. Experts fear this large scale exploitation of TeamCity aligns with Russia’s broad objectives in cyberspace, including stealing foreign intelligence information. This security risk also reflects SVR’s expansion on spear phishing methods over the past ten years to steal political, economic, scientific, and technological foreign intelligence.