Categories Blog Russia-based attackers target TeamCity (CVE-2023-42793) Post author By Vinith Sengunthar Post date December 18, 2023 Home » Blog » Russia-based attackers target TeamCity (CVE-2023-42793) Russia-based attackers target TeamCity (CVE-2023-42793) If you are a business owner who has deployed JetBrains TeamCity for your business, then you should read this. Russia-based attackers who go by many names, including APT29, Blue Bravo, Cloaked Ursa, the Dukes, Cozybear, and NOBELIUM/Midnight Blizzard, are persistently targeting JetBrains, a Czech-based company known for its Continuous Integration and Continuous Development software TeamCity. It is the same group that orchestrated the Solar Winds attack three years ago. According to many sources, there were 18000 cases of compromise across the globe. CISA has warned that since September, Russian Foreign Intelligence Services (SVR) have been exploiting the CVE 2023-42793 security vulnerability. It is a critical vulnerability with a CVSS score of 9.8. It has been a decade since the SVR cyber operations are persistently private and public organizations engage in the theft of confidential and proprietary information. Only recently has SVR changed its focus and has begun orchestrating long-term and undetectable persistent attacks that seek to collect intel, secrets, and critical information on political, scientific, economic, and military information. SVR has an ongoing spear phishing campaign that goes by the name of Diplomatic Orbiter targeted toward diplomatic agencies. Their primary target also includes technology companies responsible for the future cybersecurity operations of a nation. TeamCity is a popularly used CI/CD server for build management and continuous integration. It assists by quickly delivering applications to customers by automating multiple processes under app development. TeamCity has more than fifteen thousand customers across the globe. It was released in 2006 as commercial software with a proprietary license. TeamCity has released an update recently with the fix for the said vulnerability, limiting the attackers to the users who haven’t updated their TeamCity and are using internet-facing servers. Technical Dissection By exploiting the security vulnerability CVE 2023-42793 in TeamCity, attackers can engage in the execution of arbitrary code in the TeamCity server. They have targeted the server to steal source code, service secrets, and private keys that practically gave them the steering wheel to drive attached build agents and poison the build artifacts. To put it simply, attackers can access the build processes and inject malicious code, affecting the security of the software that is released. It is negatively impacting the security of thousands of end users. They have gained initial access by laterally moving across the network gathering information, escalating privileges, and engaging in data exfiltration, all being undetectable using EDRSandBlast. They have targeted TeamCity to establish a backdoor named GraphicalProton/ VaporRage that will be used to deliver multiple malicious payloads. Through the exploit, SVR gained a considerable high privilege granting them the control they needed to maintain their persistence in their target’s network. Upon gaining access to the server, they could access the software developer’s source code, sign certificates, and subvert the processes of software compilation and deployment. Post exploit they can SharkStriker’s recommendations and implemented measures To keep our clients across the globe secure from the consequences of the exploit, we have taken the below measures for all our clients and partners: We recommend all our clients that have deployed TeamCity to keep their software updated with the latest patches. We have engaged in continuous monitoring of the IT infrastructure to detect suspicious activities for preemptive response to threats. Based on the Indicators of Compromise provided by CISA and other regulatory bodies, our threat hunters have analyzed and treated vulnerabilities before they cause any operational disruption. Our SOC team has configured their threat detection mechanisms for early detection and precise response to the threats. All our customers can easily check their cybersecurity posture status in real-time through STREIGO‘s dashboards. SearchSearch Recent News Partner Center a unified hub for business growth for partners launched by SharkStriker December 7, 2023 SharkStriker Wins the “SIEM Innovation of the Year” award at the 7th CyberSecurity Breakthrough awardOctober 6, 2023 SharkStriker joins the league of the world’s Top 250 MSSPs, again! September 27, 2023 STRIEGO by SharkStriker: A holistic cybersecurity platform launched September 20, 2023 SharkStriker launches a data center in South AfricaAugust 31, 2023 On-Demand Webinars 8 ways to level up an SMB cybersecurity programJanuary 22, 2024 Know which cyber insurance will fetch you the maximum ROI for your business.July 19, 2023 Charter business growth in cybersecurity services market in 2023May 19, 2023 Live Attack Simulation: Exploring Microsoft Exchange from a Hacker’s POVApril 21, 2023 Affordable enterprise security for SMBsMarch 10, 2023 Services Experience end-to-end managementof statutory and regulatory compliancethrough our dedicated service for compliance Explore More > Latest Post AllBlog Load More Blog Webinar News Guides Videos Data Sheet Services ← Cybersecurity prediction: Top 10 Cybersecurity trends for 2024 → How does STRIEGO help you level up your security with AI and HI?