UK and US security agencies have warned that hackers from Russia’s SVR foreign intelligence service are using a known flaw in JetBrains TeamCity software to attack targets with unpatched systems.
The agencies said that the group – also known as APT 29, the Dukes, CozyBear, and Nobelium by various security companies – have been using the CVE-2023-42793 security flaw in their attacks “at a large scale” since September.
TeamCity is a widely used Continuous Integration and Continuous Deployment (CI/CD) server. The vulnerability may enable an unauthenticated attacker to perform a remote code execution (RCE) attack and gain administrative control of the TeamCity server.
While the vulnerability has been fixed by JetBrains in version 2023.05.4, it seems that there are still a number of organizations that have not patched the software, leaving them at risk.
The flaw was initially discovered by security company Sonar, which noted in its write-up that attackers could use the flaw to gain access to source code.
“CI/CD servers like TeamCity are used to automate the process of building, testing, and deploying software applications,” the company said. “This means that these servers have access to one of the most valuable assets of a company: source code.”
In an advisory issued by the NSA, the agency revealed that a few dozen compromised companies have been discovered while over a hundred compromised devices have been identified – although this number is expected to increase.
So far, the victims do not fit into the obvious pattern – apart, that is, from having an unpatched, internet-facing JetBrains TeamCity server.
Victim organizations include an energy trade association, companies that provide software for billing, medical devices, customer care, employee monitoring, financial management, marketing, sales, and video games, as well as hosting companies, tools manufacturers, and IT firms.
“Russian cyber actors continue taking advantage of known vulnerabilities for intelligence collection,” said Rob Joyce, Director of NSA’s Cybersecurity Directorate. “It is critical to ensure systems are patched quickly.”
Software developers use TeamCity software to manage and automate building, testing, and releasing software. That means gaining access to a TeamCity server could give attackers access to a developer’s source code and signing certificates - and the ability to interfere with the software deployment processes, the NSA said in a cybersecurity advisory (PDF).
This could allow hackers to conduct further supply chain attacks against the developers’ customers.
Instead, Russia’s hackers have used access gained by exploiting the TeamCity flaw to escalate their privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised networks.
JetBrains TeamCity: Firms should ‘assume compromise’
The NSA said all organizations with affected systems that did not immediately apply patches or workarounds to assume compromise and initiate “threat hunting activities”.
The agency said operations by Russia’s SVR foreign intelligence agency are a “persistent threat” to public and private organizations’ networks globally, and in the last ten years it has been targeting victim networks to steal confidential and proprietary information.
As well as looking for political, economic, and military-related information of other states, the SVR also targets technology companies to carry out attacks against their customers.
It’s a group that has made the headlines before, being implicated in the attack on the Democratic National Committee back in 2015-6.
Discover how you can thwart link-based attacks that bypass traditional security controls
In April 2021, the US government attributed a supply chain attack targeting tech company SolarWinds and its customers to the SVR, and most recently it was accused of using custom malware to target organizations involved in COVID-19 vaccine development, as well as energy companies.
The NSA and other agencies said that by using CVE-2023-42793 , a software development program, the authoring agencies assess the SVR could benefit from access to victims, particularly by allowing the threat actors to compromise the networks of dozens of software developers.
While it seems the SVR hackers have not yet used its access to software developers to access customer networks and is likely still in the preparatory phase of its operation.
Having access to these companies’ networks presents the SVR with opportunities to build hard-to-detect command and control infrastructure.
What can you do about it?
The NSA lists a number of potential mitigations, including:
- Apply the patches already available CVE-2023-42793 issued by JetBrains TeamCity in mid-September 2023
- Monitor your network for evidence of encoded commands and execution of network scanning tools.
- Ensure host-based antivirus and endpoint monitoring is running and set to alert if monitoring or reporting is disabled, or if communication is lost with a host agent for more than a reasonable amount of time.
- Require use of multi-factor authentication, particularly for email, virtual private networks, and accounts that access critical systems.
- Audit log files to identify attempts to access privileged certificates or the creation of fake identity providers.
In a blog post JetBrains said customers should upgrade their TeamCity server to the fixed version (2023.05.4 or the latest 2023.11) or apply the security patch plugin if they are using an earlier version of TeamCity.
The company said if a server is publicly accessible over the internet and customers are unable to update it or apply the security patch plugin immediately, it recommends temporarily making it inaccessible until the update has been applied and they’ve investigated whether the TeamCity environment has been compromised.
JetBrains added that customers should review the Indicators of Compromise and Detection Methods released by CISA.
However, it noted that there was “little probability of your instance having been exploited if you immediately upgraded or applied the patch when it was made available, given that the first recorded attacks took place in September 2023”.
IT Pro has approached JetBrains for additional comment.
