Russian state-sponsored hackers, potentially associated with the Russian Foreign Intelligence Service (SVR), have been targeting unpatched JetBrains TeamCity servers via the exploitation of CVE-2023-42793 vulnerability. The hackers have been active since September 2023, hitting organizations across the US, Europe, Asia, and Australia, with no clear pattern as to the choice of targets, and seem to be primarily focused on foreign intelligence collection.
- APT 29, the group allegedly behind the attacks, has been known to target a variety of organizations, including government agencies, and companies in energy, IT, biomedical sectors, among others.
- The hackers have systemically exploited an authentication bypass vulnerability in the TeamCity CI/CD platform that leads to Remote Control Execution (RCE). The vulnerability patch was released in mid-September 2023, but there are still nearly 800 unpatched instances worldwide.
- Upon gaining initial access, the hackers perform a series of actions including host and network reconnaissance, privilege escalation, lateral moves, backdoor deployment, and steps to ensure long-term access to compromised networks.
- The advisory from the authorities contains indicators of compromise and methods used by the attackers, suggesting that security teams check for signs of intrusion if they have failed to patch their TeamCity servers in time.
- JetBrains released a security patch timely to mitigate the vulnerability and has been urging their customers to update their software. As per their statistics, less than 2% of TeamCity instances still operate unpatched software.
The exploitation of JetBrains TeamCity servers signals a focused operation of targeting technology companies by SVR. This instance again emphasizes the importance of timely software update and patching to safeguard an organization’s network and information assets.