Russia-based attackers target TeamCity (CVE-2023-42793)  

Russia-based attackers target TeamCity (CVE-2023-42793)  

If you are a business owner who has deployed JetBrains TeamCity for your business, then you should read this.

Russia-based attackers who go by many names, including APT29, Blue Bravo, Cloaked Ursa, the Dukes, Cozybear, and NOBELIUM/Midnight Blizzard, are persistently targeting JetBrains, a Czech-based company known for its Continuous Integration and Continuous Development software TeamCity.

It is the same group that orchestrated the Solar Winds attack three years ago. According to many sources, there were 18000 cases of compromise across the globe.  CISA has warned that since September, Russian Foreign Intelligence Services (SVR) have been exploiting the CVE 2023-42793 security vulnerability.

It is a critical vulnerability with a CVSS score of 9.8. It has been a decade since the SVR cyber operations are persistently private and public organizations engage in the theft of confidential and proprietary information.

Only recently has SVR changed its focus and has begun orchestrating long-term and undetectable persistent attacks that seek to collect intel, secrets, and critical information on political, scientific, economic, and military information. SVR has an ongoing spear phishing campaign that goes by the name of Diplomatic Orbiter targeted toward diplomatic agencies.

Their primary target also includes technology companies responsible for the future cybersecurity operations of a nation. TeamCity is a popularly used CI/CD server for build management and continuous integration. It assists by quickly delivering applications to customers by automating multiple processes under app development.   

TeamCity has more than fifteen thousand customers across the globe. It was released in 2006 as commercial software with a proprietary license. TeamCity has released an update recently with the fix for the said vulnerability, limiting the attackers to the users who haven’t updated their TeamCity and are using internet-facing servers.   

Technical Dissection

By exploiting the security vulnerability CVE 2023-42793 in TeamCity, attackers can engage in the execution of arbitrary code in the TeamCity server. They have targeted the server to steal source code, service secrets, and private keys that practically gave them the steering wheel to drive attached build agents and poison the build artifacts.

To put it simply, attackers can access the build processes and inject malicious code, affecting the security of the software that is released. It is negatively impacting the security of thousands of end users. They have gained initial access by laterally moving across the network gathering information, escalating privileges, and engaging in data exfiltration, all being undetectable using EDRSandBlast. They have targeted TeamCity to establish a backdoor named GraphicalProton/ VaporRage that will be used to deliver multiple malicious payloads.   

Through the exploit, SVR gained a considerable high privilege granting them the control they needed to maintain their persistence in their target’s network. Upon gaining access to the server, they could access the software developer’s source code, sign certificates, and subvert the processes of software compilation and deployment. Post exploit they can   

SharkStriker’s recommendations and implemented measures

To keep our clients across the globe secure from the consequences of the exploit, we have taken the below measures for all our clients and partners:

• We recommend all our clients that have deployed TeamCity to keep their software updated with the latest patches.   
• We have engaged in continuous monitoring of the IT infrastructure to detect suspicious activities for preemptive response to threats.   
• Based on the Indicators of Compromise provided by CISA and other regulatory bodies, our threat hunters have analyzed and treated vulnerabilities before they cause any operational disruption.   
• Our SOC team has configured their threat detection mechanisms for early detection and precise response to the threats.   
• All our customers can easily check their cybersecurity posture status in real-time through STREIGO‘s dashboards.