Russian APT29 Hackers Exploiting TeamCity Servers Since September: CISA

December 13, 2023

The US Cybersecurity and Infrastructure Security Agency (CISA), along with its cybersecurity partners and intelligence services, has issued a warning that the APT29 hacking group, associated with Russia's Foreign Intelligence Service (SVR), has been focusing on unpatched TeamCity servers in a series of widespread attacks beginning in September 2023.

APT29 is notorious for its role in the SolarWinds supply-chain attack that compromised multiple U.S. federal agencies three years prior. The group has also targeted Microsoft 365 accounts of numerous entities within NATO countries, seeking foreign policy-related information. Furthermore, they have been connected to a range of phishing campaigns aimed at governments, embassies, and high-ranking officials across Europe.

The hackers are exploiting a critical security vulnerability in TeamCity servers, identified as CVE-2023-42793, which allows unauthenticated threat actors to carry out low-complexity remote code execution (RCE) attacks without any user interaction. "By choosing to exploit CVE-2023-42793, a software development program, the authoring agencies assess the SVR could benefit from access to victims, particularly by allowing the threat actors to compromise the networks of dozens of software developers," CISA cautioned.

The SVR has reportedly used the initial access gained by exploiting the TeamCity vulnerability to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments. While the SVR has not yet used its access to software developers to infiltrate customer networks, it is believed to still be in the preparatory phase of its operation.

Swiss security firm Sonar, the discoverer of the flaw, published technical details about the vulnerability after JetBrains released an update to address the issue. "This enables attackers not only to steal source code but also stored service secrets and private keys," Sonar explained. "And it's even worse: With access to the build process, attackers can inject malicious code, compromising the integrity of software releases and impacting all downstream users."

The Shadowserver Foundation, a nonprofit internet security organization, is tracking almost 800 unpatched TeamCity servers vulnerable to these attacks. In early October, several ransomware gangs were already exploiting the vulnerability to breach corporate networks, as reported by threat intelligence companies GreyNoise and PRODAFT. Microsoft later revealed that North Korean state-backed hacking groups Lazarus and Andariel were using CVE-2023-42793 exploits to backdoor victims' networks, likely in preparation for software supply chain attacks.

JetBrains' TeamCity software building and testing platform is used by over 30,000 organizations worldwide, including high-profile ones like Citibank, Ubisoft, HP, Nike, and Ferrari.

Related News

• Lazarus Group Exploits Log4j Security Flaws to Launch Global Cyberattack Campaign
• North Korean Hacking Groups Exploit TeamCity Vulnerability to Breach Networks
• Ransomware Groups Exploiting Critical TeamCity RCE Flaw
• Critical Vulnerability in TeamCity CI/CD Server Could Lead to Remote Server Takeover

Latest News

• Critical Apache Struts Vulnerability Targeted by Hackers Using Public Proof-of-Concept
• Sophos Backports Critical Vulnerability Fix for EOL Firewall Firmware
• Microsoft's December 2023 Patch Tuesday Addresses 34 Vulnerabilities, Including an AMD Zero-Day
• Critical RCE Vulnerability in WordPress Backup Migration Plug-in Puts Thousands of Websites at Risk
• Apple Releases Emergency Security Updates to Address Zero-Day Flaws on Older Devices