The Russian cyberespionage group known as APT29 has been exploiting a recent TeamCity vulnerability on a large scale since September 2023, according to government agencies in the US, UK, and Poland.
The issue, tracked as CVE-2023-42793 (CVSS score of 9.8) and impacting on-premises TeamCity instances, is described as an authentication bypass that can be exploited without user interaction to steal sensitive information and take over vulnerable servers.
Exploitation of the bug started days after patches were released in late September, with several ransomware groups observed targeting CVE-2023-42793. By the end of October, North Korean state-sponsored threat actors were also exploiting the flaw.
Now, government agencies in the US, the UK, and Poland reveal that at least one Russian nation-state actor has been exploiting the vulnerability in cyberattacks since September.
The hacking group, tracked as APT29, CozyBear, the Dukes, Midnight Blizzard, Nobelium, and Yttrium, is believed to be sponsored by the Russian Foreign Intelligence Service (SVR), and was previously blamed for the 2016 US election hack, the 2020 SolarWinds attack, and various other high-profile attacks.
“The SVR has been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments,” the government agencies noted in a joint advisory (PDF).
As part of the observed attacks, APT29 exploited CVE-2023-42793 to execute code with high privileges and gain a foothold on the target environments. Next, the attackers performed reconnaissance, exfiltrated files (showing an interest in SQL servers), disabled EDR and anti-virus software, established persistence, and moved to exfiltrate sensitive data.
The cyberespionage group was observed using multiple custom and open source tools and backdoors, such as the GraphicalProton malware, which was initially detailed in July 2023 (PDF).
TeamCity is used by software developers to manage and automate their processes. Compromised TeamCity servers could be useful for supply chain attacks, such as the one aimed at SolarWinds.
“While the authoring agencies assess the SVR has not yet used its accesses to software developers to access customer networks and is likely still in the preparatory phase of its operation, having access to these companies’ networks presents the SVR with opportunities to enable hard-to- detect command and control (C2) infrastructure,” the government agencies pointed out.
On the same day that the joint advisory was released, Fortinet published a technical analysis of an APT29 attack, which targeted a US organization in the biomedical manufacturing sector, pointing out that it has observed multiple threat actors attempting to exploit the vulnerable environment.
Organizations are advised to review JetBrains’ advisory on CVE-2023-42793, update their TeamCity instances to a patched release, and review the indicators-of-compromise (IoCs) released by the US, UK, and Polish agencies and Fortinet to hunt for malicious activity in their environments.