North Korean Hacking Groups Exploit TeamCity Vulnerability to Breach Networks

October 18, 2023

Microsoft has reported that North Korean hacking groups Lazarus and Andariel are exploiting a critical flaw, CVE-2023-42793, in TeamCity servers to deploy backdoor malware. TeamCity, a continuous integration and deployment server, is widely used by organizations as part of their software development infrastructure. The vulnerability, which was fixed by TeamCity in September, allows unauthenticated attackers to remotely execute code. Despite the quick response from TeamCity, threat actors, including ransomware gangs, have exploited the flaw to breach corporate networks.

Microsoft's Threat intelligence team has observed Lazarus and Andariel exploiting CVE-2023-42793 to breach TeamCity servers. Although Microsoft did not specify the ultimate goal of these attacks, they suspect it could be to conduct software supply chain attacks. "In past operations, Diamond Sleet and other North Korean threat actors have successfully carried out software supply chain attacks by infiltrating build environments," Microsoft explained. The company further assessed that this activity poses a high risk to affected organizations.

Once the threat actors breach a TeamCity server, they use various attack chains to deploy backdoors and establish persistence on the compromised network. Lazarus, for instance, was observed deploying the ForestTiger malware in one attack chain. Another attack chain involved the use of DLL search order hijacking attacks to launch a malware loader called FeedLoad. Andariel, on the other hand, uses a more hands-on approach, creating an admin account on the breached server and running commands to gather system information.

Both Lazarus and Andariel are state-sponsored North Korean hacking groups, with Andariel being a subgroup of Lazarus. While their attacks serve the North Korean government, their objectives can differ. Lazarus has been linked to various espionage, data theft, and financial gain attacks, while Andariel targets defense and IT services entities in South Korea, the United States, and India to conduct cyber espionage, data theft, destructive attacks, and ransomware attacks.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.