binarypublish
- Russian state-sponsored hackers identified as APT 29 have been exploiting CVE-2023-42793 to target unpatched JetBrains TeamCity servers since September 2023, according to US, UK, and Polish cybersecurity and law enforcement authorities.
- The prominent targets of these hackers include a wide range of organisations like government bodies, think tanks, political and diplomatic agencies, and tech, biomedical, and energy companies.
- APT 29, associated with Russia’s Foreign Intelligence Service (SVR), has been operational since 2013 with a primary objective of foreign intelligence collection.
- The hackers exploited an authentication bypass vulnerability on the TeamCity CI/CD platform, which led to them gaining initial access, after which they escalated privileges, deployed backdoors and took steps for ensuring long-term access to the compromised networks.
- As of yet, APT 29 has not used its access to software developers’ networks to target customer networks.
- Nearly 800 JetBrains TeamCity instances remain unpatched worldwide, despite patches being available since mid-September 2023.
This hacking campaign attributed to Russian state-sponsored hackers has been exploited to target unpatched, internet-facing JetBrains TeamCity servers. The group, known as APT 29, CozyBear, or Midnight Blizzard, exploits an authentication bypass vulnerability in the TeamCity CI/CD platform leading to remote code execution (RCE). Despite patches’ availability by mid-September 2023, there are reportedly still almost 800 unpatched JetBrains TeamCity instances globally, according to the Shadowserver Foundation.
Once gaining initial access, the hackers performed a variety of activities to secure long-term access to their victims’ networks. They conducted host and network reconnaissance, escalated their privileges, moved laterally, deployed backdoors, and took various measures to avoid detection. JetBrains, a software development tool, is primarily used for managing and automating software compilation, testing, and releasing. If compromised, hackers could get access to the developers’ source code and signing certificates, enabling them to subvert software compilation and deployment processes.
The authorities stated that up till now, APT 29 hasn’t been utilizing its access to software developers’ networks to infiltrate customer networks. Moreover, the types of victims do not seem to follow any particular trend or pattern, aside from possessing an unpatched JetBrains TeamCity server. The attacks are opportunistic, affecting a heterogeneous mix of organizations in the US, Europe, Asia, and Australia.
In light of these events, organizations that have yet to patch their TeamCity servers are advised to check for signs of intrusion from both APT 29 and other attackers. Korea-backed hacking groups Lazarus and Andariel have also purportedly been exploiting the same vulnerability to gain long-term access to compromised network environments.
