- Russian state-sponsored hackers have exploited vulnerability in JetBrains TeamCity servers for their cyber operations.
- This attack is specifically targeted at unpatched, internet-facing servers and has affected various organizations in the US, Europe, Asia, and Australia.
- The tactic employed by these hackers include gaining initial access by exploiting the vulnerability, performing reconnaissance, escalating their privileges, deploying backdoors, and ensuring long-term access to the compromised network environments.
These cyber attacks have been traced back to APT 29 group, also known as CozyBear, and Midnight Blizzard, believed to be associated with Russian Foreign Intelligence Service (SVR). Discovered to have been active since 2013, this syndicate typically targets government agencies, think tanks, political and diplomatic organizations, biomedical complexes, energy and IT companies among others. Their primary goal is to collect foreign intelligence.
The vulnerability exploited is identified as CVE-2023-42793. An authentication bypass vulnerability in JetBrains TeamCity CI/CD platform that can lead to RCE, it is believed that there are still approximately 800 unpatched JetBrains TeamCity instances worldwide. Patches for this vulnerability were readily available in mid-September 2023.
The cybersecurity advisory agencies noted that APT 29 has not yet used its accesses to sabotage customer networks. A warning was released for organizations to check for signs of intrusion by APT 29 and other attackers. Microsoft highlighted that since early October, Lazarus and Andariel, Korean-backed hacking groups, have also been exploiting the said vulnerability. Original equipment manufacturers have been strongly advised to check and install security patches to counteract these cyber attacks.
An update from JetBrains confirmed that they had released a security fix for this vulnerability within their TeamCity 2023.05.4 update on September 18, 2023. They have been continuously encouraging their customers and users to immediately update their software and follow the best security practices. All these measures are directed at strengthening the security of their build pipelines.