Multiple North Korean threat actors have been observed exploiting a recent vulnerability in JetBrains’ TeamCity continuous integration and continuous deployment (CI/CD) server, Microsoft warns.
Tracked as CVE-2023-42793, the critical-severity flaw allows unauthenticated attackers to execute code remotely on vulnerable on-premises TeamCity instances and gain administrator-level permissions.
In a new report, Microsoft notes that at least two North Korean state-sponsored threat actors, named Diamond Sleet and Onyx Sleet, have been exploiting CVE-2023-42793 in attacks. The tech giant points out that the two groups have been known to conduct software supply chain attacks and warns that this activity poses a high risk to impacted organizations.
“Based on the profile of victim organizations affected by these intrusions, Microsoft assesses that the threat actors may be opportunistically compromising vulnerable servers. However, both actors have deployed malware and tools and utilized techniques that may enable persistent access to victim environments,” Microsoft says.
Also known as Zinc and believed to be a sub-group of Lazarus, Diamond Sleet is focused on espionage, data theft, destruction, and financial gain, and is known for targeting defense-related entities, journalists, and IT services organizations.
The group has been observed compromising TeamCity servers to deploy a persistent backdoor named ForestTiger, and using the malware to dump LSASS credentials from memory.
In other attacks, the threat actor was seen leveraging DLL search-order hijacking and legitimate executables to perform nefarious activities, such as the deployment of a remote access trojan (RAT).
Onyx Sleet, which is also tracked as Plutonium, Andariel, and DarkSeoul, is known for exploiting N-day vulnerabilities in attacks targeting defense and IT services organizations in the US, South Korea, and India.
In attacks targeting TeamCity servers, the hacking group has been observed creating a new account on the compromised systems, to impersonate the legitimate Windows account for Kerberos Ticket Granting Ticket, and adding it to the administrative group.
Following system fingerprinting, the attackers deployed a proxy tool to establish a persistent connection, signed in via remote desktop protocol (RDP), stopped the TeamCity service, dumped credentials from LSASS memory, and deployed additional tools for credential and data theft.
Organizations are advised to apply patches for CVE-2023-42793 as soon as possible, to investigate their networks for potential compromise, block traffic from the IP addresses in Microsoft’s list of indicators of compromise (IoCs), immediately remediate any identified malicious activity, and investigate potential lateral movement.