CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Supply Chain Security

North Korean Hackers Exploiting Recent TeamCity Vulnerability

Multiple North Korean hacking groups have exploited a recent TeamCity vulnerability and Microsoft warns of potential supply chain attacks.

Multiple North Korean threat actors have been observed exploiting a recent vulnerability in JetBrains’ TeamCity continuous integration and continuous deployment (CI/CD) server, Microsoft warns.

Tracked as CVE-2023-42793, the critical-severity flaw allows unauthenticated attackers to execute code remotely on vulnerable on-premises TeamCity instances and gain administrator-level permissions.

JetBrains released patches for the bug on September 21, with the first in-the-wild exploitation attempts reported only one week later.

In a new report, Microsoft notes that at least two North Korean state-sponsored threat actors, named Diamond Sleet and Onyx Sleet, have been exploiting CVE-2023-42793 in attacks. The tech giant points out that the two groups have been known to conduct software supply chain attacks and warns that this activity poses a high risk to impacted organizations.

“Based on the profile of victim organizations affected by these intrusions, Microsoft assesses that the threat actors may be opportunistically compromising vulnerable servers. However, both actors have deployed malware and tools and utilized techniques that may enable persistent access to victim environments,” Microsoft says.

Also known as Zinc and believed to be a sub-group of Lazarus, Diamond Sleet is focused on espionage, data theft, destruction, and financial gain, and is known for targeting defense-related entities, journalists, and IT services organizations.

The group has been observed compromising TeamCity servers to deploy a persistent backdoor named ForestTiger, and using the malware to dump LSASS credentials from memory.

In other attacks, the threat actor was seen leveraging DLL search-order hijacking and legitimate executables to perform nefarious activities, such as the deployment of a remote access trojan (RAT).

Advertisement. Scroll to continue reading.

Onyx Sleet, which is also tracked as Plutonium, Andariel, and DarkSeoul, is known for exploiting N-day vulnerabilities in attacks targeting defense and IT services organizations in the US, South Korea, and India.

In attacks targeting TeamCity servers, the hacking group has been observed creating a new account on the compromised systems, to impersonate the legitimate Windows account for Kerberos Ticket Granting Ticket, and adding it to the administrative group.

Following system fingerprinting, the attackers deployed a proxy tool to establish a persistent connection, signed in via remote desktop protocol (RDP), stopped the TeamCity service, dumped credentials from LSASS memory, and deployed additional tools for credential and data theft.

Organizations are advised to apply patches for CVE-2023-42793 as soon as possible, to investigate their networks for potential compromise, block traffic from the IP addresses in Microsoft’s list of indicators of compromise (IoCs), immediately remediate any identified malicious activity, and investigate potential lateral movement.

Related: North Korean Hackers Steal $53 Million in Cryptocurrency From CoinEx

Related: FBI Blames North Korean Hackers for $41 Million Heist

Related: Rigged Software and Zero-Days: North Korean APT Caught Hacking Security Researchers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Supply Chain Security

SBOMs can be used for managing risk and determining vulnerability impact, but it’s very hard to build holistic risk models when the data is...

Application Security

Enterprise communication and collaboration platform Slack has informed customers that hackers have stolen some of its private source code repositories, but claims impact is...


HashiCorp acquires BluBracket secrets-scanning technology to help businesses block accidental leaks and fight secret sprawl.

Supply Chain Security

Oracle's Critical Patch Update for January 2023 includes 327 patches, with more than 70 that address critical-severity vulnerabilities.

Endpoint Security

A backdoor feature found in hundreds of Gigabyte motherboard models can pose a significant supply chain risk to organizations.