Pierluigi Paganini December 14, 2023
Experts warn that the Russia-linked APT29 group has been observed targeting JetBrains TeamCity servers to gain initial access to the targets’ networks.
The APT29 group (aka SVR group, Cozy Bear, Nobelium, BlueBravo, Midnight Blizzard, and The Dukes) exploited the flaw CVE-2023-42793 in TeamCity to carry out multiple malicious activities.
JetBrains TeamCity is a popular and highly extensible Continuous Integration (CI) and Continuous Delivery (CD) server developed by JetBrains, a software development company known for its developer tools. TeamCity is designed to automate various aspects of the software development process, including building, testing, and deploying applications, while providing a wide range of features and integrations to support collaborative development.
In September 2023, Sonar’s Vulnerability Research Team discovered the critical flaw CVE-2023-42793 (CVSS score of 9.8) in TeamCity.
The vulnerability is an authentication bypass issue affecting the on-premises version of TeamCity. An attacker can exploit the flaw to steal source code and stored service secrets and private keys of the target organization. By injecting malicious code, an attacker can also compromise the integrity of software releases and impact all downstream users.
“TeamCity server version 2023.05.3 and below is prone to an authentication bypass, which allows an unauthenticated attacker to gain remote code execution (RCE) on the server. This enables attackers not only to steal source code but also stored service secrets and private keys. And it’s even worse: With access to the build process, attackers can inject malicious code, compromising the integrity of software releases and impacting all downstream users.” reads the post published by Sonar. “The attack does not require any user interaction.”
According to Shodan, more than 3,000 on-premises servers are exposed to the Internet.
The flaw impacts on-premises version 2023.05.3 and below, and JetBrains addressed the flaw with the release of version 2023.05.4. The issue does not affect TeamCity Cloud.
According to a joint report published by U.S. Federal Bureau of Investigation (FBI), National Security Agency (NSA), Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the UK’s National Cyber Security Centre (NCSC) the group is targeting TeamCity servers since September 2023.
Since September 2023, Russian Foreign Intelligence Service (SVR)-affiliated cyber actors (also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard) have been targeting servers hosting JetBrains TeamCity software that ultimately enabled them to bypass authorization and conduct arbitrary code execution on the compromised server.
“The SVR has, however, been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments.” reads the joint Cybersecurity Advisory (CSA) titled Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally. “The authoring agencies’ observations show that the TeamCity exploitation usually resulted in code execution [T1203] with high privileges granting the SVR an advantageous foothold in the network environment”
The report includes details about activities conducted by the APT group after they have gained access to the target networks, including reconnaissance, privilege escalation, lateral movement, and data exfiltration.
The nation-state actors used a “Bring Your Own Vulnerable Driver” technique to evade detection bypassing or killing defense solutions such as EDRs and antivirus (AVs) software.
The cyberspies used an open-source project called “EDRSandBlast” to remove protected process light (PPL) protection. Then the attackers injected code into AV/EDR processes for a small subset of victims and used software like Mimikatz to steal credentials and expand their foothold in the target network.
The experts observed the attackers abusing a DLL hijacking vulnerability in Zabbix software by replacing a legitimate Zabbix DLL with a malware-laced DLL containing GraphicalProton backdoor.
The threat actors were also spotted abusing a DLL hijacking flaw in Webroot antivirus software to replace a legitimate DLL with one containing the GraphicalProton backdoor.
The group obtained privilege escalation through multiple techniques, including WinPEAS, NoLMHash registry key modification, and the Mimikatz tool.
The group used WMIC to facilitate lateral movement.
APT29 breached a few dozen companies in the United States, Europe, Asia, and Australia. The experts are also aware of over a hundred compromised devices, they pointed out that the attacks against TeamCity servers are opportunistic in nature.
“Generally, the victim types do not fit into any sort of pattern or trend, aside from having an unpatched, Internet-reachable JetBrains TeamCity server, leading to the assessment that SVR’s exploitation of these victims’ networks was opportunistic in nature and not necessarily a targeted attack.” concludes the report. “Identified victims included: an energy trade association; companies that provide software for billing, medical devices, customer care, employee monitoring, financial management, marketing, sales, and video games; as well as hosting companies, tools manufacturers, and small and large IT companies.”
The report includes mitigations for the ongoing campaign.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, APT29)