Russia joins North Korea in sending state-sponsored cyber troops to pick on TeamCity users

December 14, 2023 TH Author

Updated The offensive cyber unit linked to Russia’s Foreign Intelligence Service (SVR) is exploiting the critical vulnerability affecting the JetBrains TeamCity CI/CD server at scale, and has been since September, authorities warn.

The news came in an advisory issued by the US’ Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), the Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the UK’s National Cyber Security Centre (NCSC).

Announced in late September, the vulnerability, tracked as CVE-2023-42793 with a 9.8 severity score, can be seen as analogous to the one that facilitated the 2020 attack on SolarWinds – which claimed more than 18,000 victims.

The exploit in TeamCity could give attackers enough access to manipulate a software’s source code, sign certificates, and compile and deploy processes, the advisory says.

Although SVR has reportedly exploited servers since September, authorities have not gathered evidence to suggest they have used this access to launch attacks similar to the SolarWinds case.

However, the evidence suggests the access was used to plant additional backdoors in victim’s environments after attackers escalated their privileges and moved laterally around compromised networks.

Software supply chain attacks are particularly valuable for attackers given the potential for delivering malicious code that’s signed as “trusted” to an untold number of organizations.

North Korea is continually looking for opportunities in this area, recent reports revealed, and the country’s state-sponsored attackers were among the first to be observed exploiting CVE-2023-42793.

The authorities warned that although SolarWinds-like attacks have not yet been carried out as a result of the SVR’s TeamCity exploitation, they believe attackers are still in a preparatory phase and that more serious attacks may come further down the line.

Currently, the SVR’s priorities appear to be establishing a foothold in victims’ environments and deploying command and control (C2) infrastructure that’s difficult to detect – a sign of attackers laying the groundwork for future operations.

Legitimate services like Dropbox have been used to mask the SVR’s C2 traffic and malware-related data passing through these were obfuscated inside randomly generated BMP files.

Attackers were also spotted abusing OneDrive for the same purposes, but Microsoft has since confirmed this was disrupted.

This activity was spotted with the SVR’s use of the GraphicalProton backdoor, which itself was wrapped in numerous layers of encryption, obfuscation, encoders, and stagers.

The malware has remained largely unchanged in the months since the authorities began tracking it. However, different variants are being spotted, some with “noteworthy” packaging that use DLL hijacking in the open source monitoring tool Zabbix to begin execution and potentially facilitate long-term stealthy access to victims’ environments.

Another variant also hides its activity within open source C++ build analysis tool vcperf.

Other post-exploitation activity has involved the deployment of the Mimikatz toolkit, enumerating victims’ Active Directories, disabling antivirus and EDR tools, and more.

The advisory contains an extensive list of recommended mitigations and indicators of compromise to help potential victims uncover any undetected activity.

The number of TeamCity users exploited by the SVR wasn’t disclosed, but the US, Polish and UK authorities say in the advisory that exploits are being carried out on “a large scale.”

Telemetry from Shadowserver indicates that nearly 800 TeamCity instances remain vulnerable to CVE-2023-42793 exploits as of this week, despite patches released by JetBrains in late September.

Aligned with Russia’s ambitions

The authorities say the attempts to exploit TeamCity on a large scale fit in with the country’s broad objectives in cyberspace, which have remained largely unchanged for the past ten years.

“Since 2013, cybersecurity companies and governments have reported on SVR operations targeting victim networks to steal confidential and proprietary information,” they say in the advisory.

“A decade later, the authoring agencies can infer a long-term targeting pattern aimed at collecting, and enabling the collection of foreign intelligence, a broad concept that for Russia encompasses information on the politics, economics, and military of foreign states; science and technology; and foreign counterintelligence. The SVR also conducts cyber operations targeting technology companies that enable future cyber operations.”

For the past decade, the SVR has primarily relied on spear phishing (targeted phishing) methods to steal political, economic, scientific, and technological foreign intelligence. It was been known to target the likes of governments, think tanks and policy groups, educational institutions, and political organizations.

The authorities also say it’s less common for the SVR to steal information by exploiting vulnerabilities and breaking into targets’ systems, though the group has extensive experience in the area.

Among the examples the agency cites is the 2020 case in which the SVR targeted organizations involved in the development of COVID-19 vaccines using the custom malware WellMess, WellMail, and Sorefang.

In this week’s advisory, the spy agencies reveal for the first time that this malware was also used to target companies operating in the energy sector in addition to the biomedical sector, though few details were disclosed about this revelation.

It also cites SolarWinds, an attack that Microsoft’s Brad Smith famously branded the most sophisticated in history, the attribution for which didn’t come until the following year.

“This attribution marked the discovery that the SVR had, since at least 2018, expanded the range of its cyber operations to include the widespread targeting of information technology companies,” the authorities say.

“At least some of this targeting was aimed at enabling additional cyber operations. Following this attribution, the US and UK governments published advisories highlighting additional SVR TTPs, including its exploitation of various CVEs, the SVR’s use of ‘low and slow’ password spraying techniques to gain initial access to some victims’ networks, exploitation of a zero-day exploit, and exploitation of Microsoft 365 cloud environments.” ®

Updated at 14.58 on Dece,ber 14, 2023, to add:

Yaroslav Russkih, head of security at JetBrains, sent us the following statement:

“We were informed about this vulnerability earlier this year and immediately fixed it in TeamCity 2023.05.4 update, which was released on September 18, 2023. Since then, we have been contacting our customers directly or via public posts motivating them to update their software. We also released a dedicated security patch for organizations using older versions of TeamCity that they couldn’t upgrade in time. In addition, we have been sharing the best security practices to help our customers strengthen the security of their build pipelines. As of right now, according to the statistics we have, fewer than 2% of TeamCity instances still operate unpatched software, and we hope their owners patch them immediately. This vulnerability only affects the on-premises instances of TeamCity, while our cloud version was not impacted.”