North Korean Hacking Groups Exploit TeamCity Vulnerability to Breach Networks
October 18, 2023
Microsoft has reported that North Korean hacking groups Lazarus and Andariel are exploiting a critical flaw, CVE-2023-42793, in TeamCity servers to deploy backdoor malware. TeamCity, a continuous integration and deployment server, is widely used by organizations as part of their software development infrastructure. The vulnerability, which was fixed by TeamCity in September, allows unauthenticated attackers to remotely execute code. Despite the quick response from TeamCity, threat actors, including ransomware gangs, have exploited the flaw to breach corporate networks.
Microsoft's Threat intelligence team has observed Lazarus and Andariel exploiting CVE-2023-42793 to breach TeamCity servers. Although Microsoft did not specify the ultimate goal of these attacks, they suspect it could be to conduct software supply chain attacks. "In past operations, Diamond Sleet and other North Korean threat actors have successfully carried out software supply chain attacks by infiltrating build environments," Microsoft explained. The company further assessed that this activity poses a high risk to affected organizations.
Once the threat actors breach a TeamCity server, they use various attack chains to deploy backdoors and establish persistence on the compromised network. Lazarus, for instance, was observed deploying the ForestTiger malware in one attack chain. Another attack chain involved the use of DLL search order hijacking attacks to launch a malware loader called FeedLoad. Andariel, on the other hand, uses a more hands-on approach, creating an admin account on the breached server and running commands to gather system information.
Both Lazarus and Andariel are state-sponsored North Korean hacking groups, with Andariel being a subgroup of Lazarus. While their attacks serve the North Korean government, their objectives can differ. Lazarus has been linked to various espionage, data theft, and financial gain attacks, while Andariel targets defense and IT services entities in South Korea, the United States, and India to conduct cyber espionage, data theft, destructive attacks, and ransomware attacks.
Related News
- Ransomware Groups Exploiting Critical TeamCity RCE Flaw
- Critical Vulnerability in TeamCity CI/CD Server Could Lead to Remote Server Takeover
Latest News
- Updated MATA Malware Framework Targets Defense and Energy Sectors
- State-Backed Hackers Exploit WinRAR Vulnerability: A Google TAG Report
- Citrix NetScaler Vulnerability Exploited as Zero-Day since August
- Admin Account Hijack Vulnerability Uncovered in Synology's DiskStation Manager
- Unpatched Zero-Day Vulnerability Compromises Over 10,000 Cisco IOS XE Systems
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.