- The US Cybersecurity and Infrastructure Security Agency (CISA) warns that Russian Foreign Intelligence Services are exploiting a security flaw in JetBrains TeamCity, a popular CI/CD tool.
- The vulnerability is being exploited on a large scale by a Russian threat actor known by various names, including APT 29, the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard.
- Compromised TeamCity accounts could expose developer source code, signing certificates, and more.
- Organizations are urged to conduct their own investigations and secure their networks.
- North Korean hackers had also been exploiting the same vulnerability.
- JetBrains has since issued a fix, highlighting the importance of applying security fixes promptly.
The US Cybersecurity and Infrastructure Security Agency (CISA), alongside the FBI, NSA, the UK’s National Cyber Security Centre (NCSC), and Poland’s Military Counterintelligence Service (SKW) and CERT Polska (CERT.PL), has issued a warning related to the exploitation of a vulnerability in popular CI/CD tool TeamCity. The warning concerns a Russian threat actor, known by several names such as APT 29, the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard, that has been exploiting the vulnerability on a large scale since September 2023.
The security flaw in question could result in compromised TeamCity accounts, potentially exposing developer source code, signing certificates, among other data. The exploitation of this vulnerability, assigned the identification code CVE-2023-42793, leads to arbitrary code execution on the server by enabling the insecure handling of specific paths.
In a bid to protect their networks, organizations are strongly encouraged to conduct their own investigations. The early warning from leading security bodies is also intended to help cybersecurity companies prepare better for such attacks. Futthermore, CISA has stated that it is unaware of any other initial access vector to JetBrains TeamCity, though companies globally have already been notified.
In a similar scenario a few weeks ago, Microsoft announced that North Korean hackers with ties to the state had also been exploiting the same CVE identification code. JetBrains has since issued a fix for this vulnerability, underlining the critical need for keeping up-to-date with security fixes as they are released.