Russian hackers eye unfortified JetBrains TeamCity servers.

December 14, 2023
1 min read

Russian state-sponsored hackers have targeted unpatched JetBrains TeamCity servers, leveraging vulnerability CVE-2023-42793. The cybersecurity authorities of the US, UK, and Poland issued this warning. A hacker group APT 29, believed to be connected with the Russian Foreign Intelligence Service, is in action since 2013 and is said to be behind these attacks. The victims include government agencies, think tanks, political organizations, diplomatic agencies, biomedical and energy companies, as well as IT companies across the USA, Europe, Asia, and Australia. The main objective is the collection of foreign intelligence.

  • APT 29 had been instrumental in operation targeting the SolarWinds information technology company and its customers.
  • JetBrains TeamCity servers are being primarily targeted this time.
  • Attacks tend to be opportunistic in nature and hit disparate organizations.

In these recent attacks, vulnerability CVE-2023-42793 is exploited, which is an authentication bypass loophole in the TeamCity CI/CD platform that can lead to Remote Code Execution (RCE). Patches for this vulnerability were released in mid-September 2023, yet approximately 800 JetBrains TeamCity unpatched instances still exist globally.

Post initial access by exploiting the vulnerability, the hackers carry out host and network reconnaissance, escalate their privileges, initiate lateral moves, deploy backdoors, and secure long-term access to the compromised networks, using various tactics to avoid detection. They get access to the software developer’s source code, signing certificates, and the ability to subvert software compilation and deployment processes. However, they haven’t yet used their access to software developers to infiltrate customer networks.

  • The indicators of compromise include log file entries, files, and IP addresses.
  • The Korean-backed Lazarus and Andariel hacking groups have also been exploiting this vulnerability since early October.

Response from JetBrains indicates that they were already aware of this vulnerability and addressed it in the TeamCity 2023.05.4 update released in September 2023. They claim that less than 2% of TeamCity instances still operate unpatched software and are pushing their owners for immediate patching. Importantly, the vulnerability only affects the on-premises instances of TeamCity, not the cloud version.

Latest from Blog

Top CISA official looks back on four years of cyber work

TLDR: Eric Goldstein, a top official at CISA, reflects on progress made in cybersecurity during his tenure. Key achievements include understanding cyber risks, collaboration with industry, and encouraging secure product development. Eric

Juggling AI cybersecurity highs and lows

TLDR: At the 2024 MIT Sloan CIO Symposium, industry leaders discussed the challenge of balancing AI’s benefits with its security risks, particularly focusing on generative AI. While generative AI can bring benefits

Get your free Cyber Security eBook now Valued at $169

“`html TLDR: Key Points: Claim your complimentary eBook worth $169 for free before May 22. The eBook covers practical applications of cyber security and network security for professionals, engineers, scientists, and students.