Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

APT

Russia-linked APT29 spotted targeting JetBrains TeamCity servers

Russia-linked cyber espionage group APT29 has been targeting JetBrains TeamCity servers since September 2023. Experts warn that the Russia-linked APT29 group has been observed targeting JetBrains TeamCity servers to gain initial access to the targets’ networks. The APT29 group (aka SVR group, Cozy Bear, Nobelium, BlueBravo, Midnight Blizzard, and The Dukes) exploited the flaw CVE-2023-42793 in TeamCity to carry out […]

APT28

Russia-linked cyber espionage group APT29 has been targeting JetBrains TeamCity servers since September 2023.

Experts warn that the Russia-linked APT29 group has been observed targeting JetBrains TeamCity servers to gain initial access to the targets’ networks.

The APT29 group (aka SVR groupCozy BearNobeliumBlueBravo, Midnight Blizzard, and The Dukes) exploited the flaw CVE-2023-42793 in TeamCity to carry out multiple malicious activities.

JetBrains TeamCity is a popular and highly extensible Continuous Integration (CI) and Continuous Delivery (CD) server developed by JetBrains, a software development company known for its developer tools. TeamCity is designed to automate various aspects of the software development process, including building, testing, and deploying applications, while providing a wide range of features and integrations to support collaborative development.

In September 2023, Sonar’s Vulnerability Research Team discovered the critical flaw CVE-2023-42793 (CVSS score of 9.8) in TeamCity.

The vulnerability is an authentication bypass issue affecting the on-premises version of TeamCity. An attacker can exploit the flaw to steal source code and stored service secrets and private keys of the target organization. By injecting malicious code, an attacker can also compromise the integrity of software releases and impact all downstream users.

“TeamCity server version 2023.05.3 and below is prone to an authentication bypass, which allows an unauthenticated attacker to gain remote code execution (RCE) on the server. This enables attackers not only to steal source code but also stored service secrets and private keys. And it’s even worse: With access to the build process, attackers can inject malicious code, compromising the integrity of software releases and impacting all downstream users.” reads the post published by Sonar. “The attack does not require any user interaction.”

According to Shodan, more than 3,000 on-premises servers are exposed to the Internet.

The flaw impacts on-premises version 2023.05.3 and below, and JetBrains addressed the flaw with the release of version 2023.05.4. The issue does not affect TeamCity Cloud.

According to a joint report published by U.S. Federal Bureau of Investigation (FBI), National Security Agency (NSA), Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the UK’s National Cyber Security Centre (NCSC) the group is targeting TeamCity servers since September 2023.

Since September 2023, Russian Foreign Intelligence Service (SVR)-affiliated cyber actors (also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard) have been targeting servers hosting JetBrains TeamCity software that ultimately enabled them to bypass authorization and conduct arbitrary code execution on the compromised server.

“The SVR has, however, been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments.” reads the joint Cybersecurity Advisory (CSA) titled Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally. “The authoring agencies’ observations show that the TeamCity exploitation usually resulted in code execution [T1203] with high privileges granting the SVR an advantageous foothold in the network environment”

The report includes details about activities conducted by the APT group after they have gained access to the target networks, including reconnaissance, privilege escalation, lateral movement, and data exfiltration.

The nation-state actors used a “Bring Your Own Vulnerable Driver” technique to evade detection bypassing or killing defense solutions such as EDRs and antivirus (AVs) software.

The cyberspies used an open-source project called “EDRSandBlast” to remove protected process light (PPL) protection. Then the attackers injected code into AV/EDR processes for a small subset of victims and used software like Mimikatz to steal credentials and expand their foothold in the target network.

The experts observed the attackers abusing a DLL hijacking vulnerability in Zabbix software by replacing a legitimate Zabbix DLL with a malware-laced DLL containing GraphicalProton backdoor.

The threat actors were also spotted abusing a DLL hijacking flaw in Webroot antivirus software to replace a legitimate DLL with one containing the GraphicalProton backdoor.

The group obtained privilege escalation through multiple techniques, including WinPEAS, NoLMHash registry key modification, and the Mimikatz tool.

The group used WMIC to facilitate lateral movement.

APT29 breached a few dozen companies in the United States, Europe, Asia, and Australia. The experts are also aware of over a hundred compromised devices, they pointed out that the attacks against TeamCity servers are opportunistic in nature.

“Generally, the victim types do not fit into any sort of pattern or trend, aside from having an unpatched, Internet-reachable JetBrains TeamCity server, leading to the assessment that SVR’s exploitation of these victims’ networks was opportunistic in nature and not necessarily a targeted attack.” concludes the report. “Identified victims included: an energy trade association; companies that provide software for billing, medical devices, customer care, employee monitoring, financial management, marketing, sales, and video games; as well as hosting companies, tools manufacturers, and small and large IT companies.”

The report includes mitigations for the ongoing campaign.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, APT29)