Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Russian Cyberspies Exploiting TeamCity Vulnerability at Scale: Government Agencies

US, UK, and Poland warn of Russia-linked cyberespionage group’s broad exploitation of recent TeamCity vulnerability.

The Russian cyberespionage group known as APT29 has been exploiting a recent TeamCity vulnerability on a large scale since September 2023, according to government agencies in the US, UK, and Poland.

The issue, tracked as CVE-2023-42793 (CVSS score of 9.8) and impacting on-premises TeamCity instances, is described as an authentication bypass that can be exploited without user interaction to steal sensitive information and take over vulnerable servers.

Exploitation of the bug started days after patches were released in late September, with several ransomware groups observed targeting CVE-2023-42793. By the end of October, North Korean state-sponsored threat actors were also exploiting the flaw.

Now, government agencies in the US, the UK, and Poland reveal that at least one Russian nation-state actor has been exploiting the vulnerability in cyberattacks since September.

The hacking group, tracked as APT29, CozyBear, the Dukes, Midnight Blizzard, Nobelium, and Yttrium, is believed to be sponsored by the Russian Foreign Intelligence Service (SVR), and was previously blamed for the 2016 US election hack, the 2020 SolarWinds attack, and various other high-profile attacks.

“The SVR has been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments,” the government agencies noted in a joint advisory (PDF).

As part of the observed attacks, APT29 exploited CVE-2023-42793 to execute code with high privileges and gain a foothold on the target environments. Next, the attackers performed reconnaissance, exfiltrated files (showing an interest in SQL servers), disabled EDR and anti-virus software, established persistence, and moved to exfiltrate sensitive data.

The cyberespionage group was observed using multiple custom and open source tools and backdoors, such as the GraphicalProton malware, which was initially detailed in July 2023 (PDF).

Advertisement. Scroll to continue reading.

TeamCity is used by software developers to manage and automate their processes. Compromised TeamCity servers could be useful for supply chain attacks, such as the one aimed at SolarWinds.

“While the authoring agencies assess the SVR has not yet used its accesses to software developers to access customer networks and is likely still in the preparatory phase of its operation, having access to these companies’ networks presents the SVR with opportunities to enable hard-to- detect command and control (C2) infrastructure,” the government agencies pointed out.

On the same day that the joint advisory was released, Fortinet published a technical analysis of an APT29 attack, which targeted a US organization in the biomedical manufacturing sector, pointing out that it has observed multiple threat actors attempting to exploit the vulnerable environment.

Organizations are advised to review JetBrains’ advisory on CVE-2023-42793, update their TeamCity instances to a patched release, and review the indicators-of-compromise (IoCs) released by the US, UK, and Polish agencies and Fortinet to hunt for malicious activity in their environments.

Related: Russian APT Used Zero-Click Outlook Exploit

Related: US Disrupts Russia’s Sophisticated ‘Snake’ Cyberespionage Malware

Related: Russia-Linked APT29 Uses New Malware in Embassy Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.