US, European security agencies sound alarm on Russian SVR hackers exploiting TeamCity software vulnerability
Security agencies from the U.S. and Europe joined forces once again to issue a warning to both public and private organizations. The alert highlighted the activities of Russian Foreign Intelligence Service (SVR) cyber hackers, who are also known by various names such as APT 29, the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard. These hackers have been exploiting CVE-2023-42793 on a large scale, targeting servers that host JetBrains TeamCity software since September.
To raise awareness about Russia’s actions, Wednesday’s advisory provides information on the SVR’s most recent compromise to aid organizations in conducting their investigations and securing their networks, providing compromised entities with actionable indicators of compromise (IOCs). Additionally, it aims to empower private sector cybersecurity companies to enhance their ability to detect and counter the SVR’s malicious activities.
The U.S. Federal Bureau of Investigation (FBI), Cybersecurity & Infrastructure Security Agency (CISA), National Security Agency (NSA), Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the U.K.’s National Cyber Security Centre (NCSC) detailed that software developers use TeamCity software to manage and automate software compilation, building, testing, and releasing. “If compromised, access to a TeamCity server would provide malicious actors with access to that software developer’s source code, signing certificates, and the ability to subvert software compilation and deployment processes—access a malicious actor could further use to conduct supply chain operations.”
The agencies are, however, not currently aware of any other initial access vector to JetBrains TeamCity currently being exploited by the SVR.
“Russian cyber actors continue taking advantage of known vulnerabilities for intelligence collection,” Rob Joyce, director of NSA’s cybersecurity directorate, said in a media statement. “It is critical to ensure systems are patched quickly, and to implement the mitigations and use the IOCs listed in this report to hunt for adversary persistent access.”
As a result of this latest SVR cyber activity, the FBI, CISA, NSA, SKW, CERT Polska, and NCSC have identified a few dozen compromised companies in the U.S., Europe, Asia, and Australia. They are also aware of ‘over a hundred compromised devices though we assess this list does not represent the full set of compromised organizations.’
The advisory identified that generally, the victim types do not fit into any sort of pattern or trend, aside from having an unpatched, Internet-reachable JetBrains TeamCity server, leading to the assessment that SVR’s exploitation of these victims’ networks was opportunistic in nature and not necessarily a targeted attack.
The victims identified in the attack encompass various industries and sectors. Among them were an energy trade association, and software providers specializing in billing, medical devices, customer care, employee monitoring, financial management, marketing, sales, and video games. Additionally, hosting companies, tool manufacturers, and both small and large IT companies were also affected.
The agencies highlighted that although the SVR used such access to compromise SolarWinds and its customers in 2020, a limited number and seemingly opportunistic types of victims currently identified, indicate that the SVR has not used the access similarly afforded by the TeamCity CVE. “The SVR has, however, been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments,” they added.
“In this newly attributed operation targeting networks hosting TeamCity servers, the SVR demonstrably continues its practice of targeting technology companies,” the advisory detailed. “By choosing to exploit CVE-2023-42793, a software development program, the authoring agencies assess the SVR could benefit from access to victims, particularly by allowing the threat actors to compromise the networks of dozens of software developers. JetBrains issued a patch for this CVE in mid-September 2023, limiting the SVR’s operation to the exploitation of unpatched, Internet-reachable TeamCity servers.”
While the authoring agencies assess the SVR has not yet used its access to software developers to access customer networks and is likely still in the preparatory phase of its operation, having access to these companies’ networks presents the SVR with opportunities to enable hard-to-detect command and control (C2) infrastructure.
The SVR started to exploit Internet-connected JetBrains TeamCity servers in late September 2023 using CVE-2023-42793, which enables the insecure handling of specific paths allowing for bypassing authorization, resulting in arbitrary code execution on the server. The agencies’ observations show that the TeamCity exploitation usually resulted in code execution with high privileges granting the SVR an advantageous foothold in the network environment.
In several cases, SVR attempted to hide their backdoors by abusing a DLL hijacking vulnerability in Zabbix software by replacing a legitimate Zabbix DLL with one containing GraphicalProton backdoor. Also, backdooring an open source application developed by Microsoft named ‘vcperf.’ SVR modified and copied publicly available source code. After execution, backdoored vcperf dropped several DLLs to disc, one of those being a GraphicalProton backdoor. They may also abuse a DLL hijacking vulnerability in Webroot antivirus software by replacing a legitimate DLL with one containing GraphicalProton backdoor.
To avoid detection by network monitoring, the SVR devised a covert C2 channel that used Microsoft OneDrive and Dropbox cloud services. To further enable obfuscation, data exchanged with malware via OneDrive and Dropbox were hidden inside randomly generated BMP files.
The agencies assess the scope and indiscriminate targeting of this campaign as a threat to public safety and recommend organizations implement the mitigations below to improve the organization’s cybersecurity posture. They recommend applying available patches for CVE-2023-42793 issued by JetBrains TeamCity in mid-September 2023 if not already completed; monitoring the network for evidence of encoded commands and execution of network scanning tools; and ensuring host-based antivirus/endpoint monitoring solutions are enabled and set to alert if monitoring or reporting is disabled, or if communication is lost with a host agent for more than a reasonable amount of time.
Additionally, organizations require the use of multi-factor authentication for all services to the extent possible, particularly for email, virtual private networks, and accounts that access critical systems. They must also keep all operating systems, software, and firmware up to date; audit log files to identify attempts to access privileged certificates and creation of fake identity providers; deploy software to identify suspicious behavior on systems; and deploy endpoint protection systems with the ability to monitor for behavioral indicators of compromise.
They must also use available public resources to identify credential abuse with cloud environments and configure authentication mechanisms to confirm certain user activities on systems, including registering new devices.
Last week, global security agencies published a cybersecurity advisory warning of a Russian-based hacker group, Star Blizzard (formerly known as SEABORGIUM and also referred to as Callisto Group/TA446/COLDRIVER/TAG-53/BlueCharlie) with links to the Russian Federal Security Service (FSB), is actively targeting organizations and individuals in the U.K. and other geographical areas of interest. These hackers have been identified as employing spear-phishing attacks to gather information from their targets.
A complimentary guide to the who`s who in industrial cybersecurity tech & solutions
Free DownloadRelated
