Researchers at Microsoft have discovered that North Korean nation-state threat actors tracked as Diamond Sleet and Onyx Sleet are exploiting a remote code execution vulnerability affecting multiple versions of the JetBrains TeamCity server.
During the month of September, JetBrains issued a critical security update to patch its TeamCity build management and continuous integration server.
The vulnerability, tracked as CVE-2023-42793, that allows unauthenticated attackers to execute arbitrary code on the TeamCity on-premises server, which enables attackers to steal source code, service secrets and private keys.
TeamCity’s on-premises CI/CD server is used by more than 30,000 users worldwide, including Nike, Ferrari, Citibank, and Ubisoft.
Diamond Sleet prioritizes espionage, data theft, financial gain, and network destruction. It is known to target media, IT services, and defense-related entities around the world.
Diamond Sleet used the backdoor
Forest64.exe, known as ForestTiger. Once hackers successfully compromise TeamCity servers, they use PowerShell to download two payloads – the backdoor and a malware configuration file – from legitimate infrastructure previously compromised by the threat actor.
Once after the launch, ForestTiger checks for the configuration file and then reads and decrypts the contents of that file using an embedded key in order to obtain parameters such as the command-and-control server.
Microsoft said ForestTiger creates a scheduled task named
Windows TeamCity Settings User Interface to run every time the system starts.
Diamond Sleet also uses PowerShell on compromised servers to download a malicious DLL from attacker-controlled infrastructure. This malicious DLL is staged with a legitimate
.exe file to carry out DLL search-order hijacking.
Onyx Sleet has used the TeamCity exploit to create a new user account named “krtbgt” on compromised systems. The name likely is intended to impersonate the legitimate Windows account name KRBTGT, the Kerberos Ticket Granting Ticket, Microsoft said.
The threat actor adds the user account to the local administrators group, which enables it to run several system discovery commands on compromised systems, including:
net localgroup 'Remote Desktop Users'
net localgroup Administrators
cmd.exe "/c tasklist | findstr Sec"
cmd.exe "/c whoami"
cmd.exe "/c netstat -nabp tcp"
cmd.exe "/c ipconfig /all"
cmd.exe "/c systeminfo"
It deploys a unique payload to compromised systems by downloading it from attacker-controlled infrastructure via PowerShell. This payload loads and decrypts an embedded PE resource, which is loaded into memory and launched directly.
The inner payload is a proxy tool that helps establish a persistent connection between the compromised host and attacker-controlled infrastructure. Microsoft Defender Antivirus detects this proxy tool as HazyLoad.
Microsoft said it had observed attackers using the “krtbgt” account to sign into the compromised device via remote desktop protocol, and it made attempts to stop other hackers from exploiting the vulnerability to access TeamCity.
For more details, Microsoft has detailed out in its blogspot