Russia joins North Korea in sending state-sponsored cyber troops to pick on TeamCity users

Trending 2 months ago

The violative cyber portion linked to Russia's Foreign Intelligence Service (SVR) is exploiting nan captious vulnerability affecting nan JetBrains TeamCity CI/CD server astatine scale, and has been since September, authorities warn.

The news came successful an advisory issued by nan US' Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), nan Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and nan UK's National Cyber Security Centre (NCSC).

Announced successful precocious September, nan vulnerability, tracked arsenic CVE-2023-42793 pinch a 9.8 severity score, tin beryllium seen arsenic analogous to nan 1 that facilitated nan 2020 onslaught connected SolarWinds – which claimed much than 18,000 victims.

The utilization successful TeamCity could springiness attackers capable entree to manipulate a software's root code, motion certificates, and compile and deploy processes, nan advisory says.

Although SVR has reportedly exploited servers since September, authorities person not gathered grounds to propose they person utilized this entree to motorboat attacks akin to nan SolarWinds case.

However, nan grounds suggests nan entree was utilized to works further backdoors successful victim's environments aft attackers escalated their privileges and moved laterally astir compromised networks.

Software proviso concatenation attacks are peculiarly valuable for attackers fixed nan imaginable for delivering malicious codification that's signed arsenic "trusted" to an untold number of organizations.

North Korea is continually looking for opportunities successful this area, recent reports revealed, and nan country's state-sponsored attackers were among nan first to beryllium observed exploiting CVE-2023-42793.

The authorities warned that though SolarWinds-like attacks person not yet been carried retired arsenic a consequence of nan SVR's TeamCity exploitation, they judge attackers are still successful a preparatory shape and that much superior attacks whitethorn travel further down nan line.

Currently, nan SVR's priorities look to beryllium establishing a foothold successful victims' environments and deploying bid and power (C2) infrastructure that's difficult to observe – a motion of attackers laying nan groundwork for early operations.

Legitimate services for illustration Dropbox person been utilized to disguise nan SVR's C2 postulation and malware-related information passing done these were obfuscated wrong randomly generated BMP files.

Attackers were besides spotted abusing OneDrive for nan aforesaid purposes, but Microsoft has since confirmed this was disrupted.

This activity was spotted pinch nan SVR's usage of nan GraphicalProton backdoor, which itself was wrapped successful galore layers of encryption, obfuscation, encoders, and stagers.

The malware has remained mostly unchanged successful nan months since nan authorities began search it. However, different variants are being spotted, immoderate pinch "noteworthy" packaging that usage DLL hijacking successful nan unfastened root monitoring instrumentality Zabbix to statesman execution and perchance facilitate semipermanent stealthy entree to victims' environments. 

Another version besides hides its activity wrong unfastened root C++ build study instrumentality vcperf.

Other post-exploitation activity has progressive nan deployment of nan Mimikatz toolkit, enumerating victims' Active Directories, disabling antivirus and EDR tools, and more.

The advisory contains an extended database of recommended mitigations and indicators of discuss to thief imaginable victims uncover immoderate undetected activity.

The number of TeamCity users exploited by nan SVR wasn't disclosed, but nan US, Polish and UK authorities opportunity successful nan advisory that exploits are being carried retired connected "a ample scale."

Telemetry from Shadowserver indicates that astir 800 TeamCity instances stay susceptible to CVE-2023-42793 exploits arsenic of this week, contempt patches released by JetBrains successful precocious September.

Aligned pinch Russia's ambitions

The authorities opportunity nan attempts to utilization TeamCity connected a ample standard fresh successful pinch nan country's wide objectives successful cyberspace, which person remained mostly unchanged for nan past 10 years.

"Since 2013, cybersecurity companies and governments person reported connected SVR operations targeting unfortunate networks to bargain confidential and proprietary information," they opportunity successful nan advisory. 

"A decade later, nan authoring agencies tin infer a semipermanent targeting shape aimed astatine collecting, and enabling nan postulation of overseas intelligence, a wide conception that for Russia encompasses accusation connected nan politics, economics, and subject of overseas states; subject and technology; and overseas counterintelligence. The SVR besides conducts cyber operations targeting exertion companies that alteration early cyber operations."

For nan past decade, nan SVR has chiefly relied connected spear phishing (targeted phishing) methods to bargain political, economic, scientific, and technological overseas intelligence. It was been known to target nan likes of governments, deliberation tanks and argumentation groups, acquisition institutions, and governmental organizations. 

The authorities besides opportunity it's little communal for nan SVR to bargain accusation by exploiting vulnerabilities and breaking into targets' systems, though nan group has extended acquisition successful nan area.

  • Memory-safe languages truthful basking correct now, agrees Lazarus Group arsenic it slings DLang malware
  • Korean peninsula abstraction title sees South and North motorboat tit for tat spy sats
  • North Korea makes uncovering a gig moreover harder by attacking candidates and employers
  • Industry piles successful connected North Korea for sustained rampage connected package proviso chains

Among nan examples nan agency cites is nan 2020 case successful which nan SVR targeted organizations progressive successful nan improvement of COVID-19 vaccines utilizing nan civilization malware WellMess, WellMail, and Sorefang. 

In this week's advisory, nan spy agencies uncover for nan first clip that this malware was besides utilized to target companies operating successful nan power assemblage successful summation to nan biomedical sector, though fewer specifications were disclosed astir this revelation.

It besides cites SolarWinds, an onslaught that Microsoft's Brad Smith famously branded nan astir blase successful history, nan attribution for which didn't travel until nan pursuing year.

"This attribution marked nan find that nan SVR had, since astatine slightest 2018, expanded nan scope of its cyber operations to see nan wide targeting of accusation exertion companies," nan authorities say. 

"At slightest immoderate of this targeting was aimed astatine enabling further cyber operations. Following this attribution, nan US and UK governments published advisories highlighting further SVR TTPs, including its exploitation of various CVEs, nan SVR's usage of 'low and slow' password spraying techniques to summation first entree to immoderate victims' networks, exploitation of a zero-day exploit, and exploitation of Microsoft 365 unreality environments." ®