Russian hackers prey on vulnerable JetBrains TeamCity servers.

December 14, 2023
1 min read

Russian state-sponsored hackers, potentially associated with the Russian Foreign Intelligence Service (SVR), have been targeting unpatched JetBrains TeamCity servers via the exploitation of CVE-2023-42793 vulnerability. The hackers have been active since September 2023, hitting organizations across the US, Europe, Asia, and Australia, with no clear pattern as to the choice of targets, and seem to be primarily focused on foreign intelligence collection.

  • APT 29, the group allegedly behind the attacks, has been known to target a variety of organizations, including government agencies, and companies in energy, IT, biomedical sectors, among others.
  • The hackers have systemically exploited an authentication bypass vulnerability in the TeamCity CI/CD platform that leads to Remote Control Execution (RCE). The vulnerability patch was released in mid-September 2023, but there are still nearly 800 unpatched instances worldwide.
  • Upon gaining initial access, the hackers perform a series of actions including host and network reconnaissance, privilege escalation, lateral moves, backdoor deployment, and steps to ensure long-term access to compromised networks.
  • The advisory from the authorities contains indicators of compromise and methods used by the attackers, suggesting that security teams check for signs of intrusion if they have failed to patch their TeamCity servers in time.
  • JetBrains released a security patch timely to mitigate the vulnerability and has been urging their customers to update their software. As per their statistics, less than 2% of TeamCity instances still operate unpatched software.

The exploitation of JetBrains TeamCity servers signals a focused operation of targeting technology companies by SVR. This instance again emphasizes the importance of timely software update and patching to safeguard an organization’s network and information assets.

Latest from Blog

Top VPN’s privacy claims confirmed by independent auditors

TLDR: Independent auditors from Deloitte Romania confirmed CyberGhost VPN’s privacy claims through a detailed audit of their systems. Auditors found that CyberGhost’s no-logs infrastructure works as expected, ensuring user data privacy. Independent

MediSecure hacked with massive ransomware data breach

Summary of ‘MediSecure hit by large-scale ransomware data breach’ TLDR: MediSecure, an Australian prescriptions provider, was hit by a large-scale ransomware attack. The incident is believed to have originated from one of

Equalizing cybersecurity for all

TLDR: A discussion on how organizations can enhance their cybersecurity posture with Blumira’s automated threat monitoring, detection, and response solutions. Blumira is working to lower the barrier to entry in cybersecurity for