Russian state-sponsored hackers have targeted unpatched JetBrains TeamCity servers, leveraging vulnerability CVE-2023-42793. The cybersecurity authorities of the US, UK, and Poland issued this warning. A hacker group APT 29, believed to be connected with the Russian Foreign Intelligence Service, is in action since 2013 and is said to be behind these attacks. The victims include government agencies, think tanks, political organizations, diplomatic agencies, biomedical and energy companies, as well as IT companies across the USA, Europe, Asia, and Australia. The main objective is the collection of foreign intelligence.
- APT 29 had been instrumental in operation targeting the SolarWinds information technology company and its customers.
- JetBrains TeamCity servers are being primarily targeted this time.
- Attacks tend to be opportunistic in nature and hit disparate organizations.
In these recent attacks, vulnerability CVE-2023-42793 is exploited, which is an authentication bypass loophole in the TeamCity CI/CD platform that can lead to Remote Code Execution (RCE). Patches for this vulnerability were released in mid-September 2023, yet approximately 800 JetBrains TeamCity unpatched instances still exist globally.
Post initial access by exploiting the vulnerability, the hackers carry out host and network reconnaissance, escalate their privileges, initiate lateral moves, deploy backdoors, and secure long-term access to the compromised networks, using various tactics to avoid detection. They get access to the software developer’s source code, signing certificates, and the ability to subvert software compilation and deployment processes. However, they haven’t yet used their access to software developers to infiltrate customer networks.
- The indicators of compromise include log file entries, files, and IP addresses.
- The Korean-backed Lazarus and Andariel hacking groups have also been exploiting this vulnerability since early October.
Response from JetBrains indicates that they were already aware of this vulnerability and addressed it in the TeamCity 2023.05.4 update released in September 2023. They claim that less than 2% of TeamCity instances still operate unpatched software and are pushing their owners for immediate patching. Importantly, the vulnerability only affects the on-premises instances of TeamCity, not the cloud version.