Russian Cozybear group is infiltrating JetBrains TeamCity servers using a critical vulnerability enabling authorization bypass and arbitrary code execution, government officials warn.
As said, the threat actors have been exploiting the bug tracked as CVE-2023-42793 since September, A patch was made available on Sept. 18 in TeamCity version 2023.05.4.
The critical vulnerability enables unauthenticated attackers to gain administrator access to TeamCity servers and achieve remote code execution without the need for user interaction, according to SonarSource.
TeamCity servers are the (CI/CD) servers used to manage and automate software development processes like building, testing, and releasing. Over 30,000 JetBrains customers use TeamCity servers, and more than 3,000 on-premises servers were directly exposed to the internet when the bug was discovered.
According to the advisory, if the threat actors compromised the servers, it will allow access to software developer’s source code, signing certificates, and the ability to subvert software compilation and deployment processes access a malicious actor could further use to conduct supply chain operations.
The Russia-backed cybergang CozyBear, which conducted the massive SolarWinds supply chain attack in 2020, has compromised dozens of companies and more than a hundred devices by exploiting the JetBrains TeamCity flaw, officials said. Companies in the United States, Europe, Asia and Australia have been affected.
The joint government advisory states identified victims include companies that provide software for billing, financial management, sales, marketing, customer care, employee monitoring, medical devices, and video games. The attackers also compromised small and large IT companies and an energy trade association.
CozyBear was seen using the Mimikatz tool to steal credentials from the Windows Registry and escalate privileges on compromised systems. They also used the GraphicalProton backdoor to exfiltrate sensitive information; this backdoor uses OneDrive and Dropbox as C2 channels to communicate with compromised devices and exchange information by storing them in randomly generated BMP files to avoid detection.
JetBrains is notifying customers about the exploitation and reiterating recommendations to update on-premises TeamCity servers to version 2023.05.4 or later.
Shadowserver, a nonprofit organization that tracks and analyzes malicious web activity, said that it has detected 800 unpatched instances of JetBrains TeamCity across the globe. More than 230 vulnerable instances were found in the United States.
The advisory by CISA and partners notes that SolarWinds-like access to source code and certificates can be achieved by exploiting the JetBrains TeamCity vulnerability. The ongoing exploitation of CVE-2023-42793 has affected a “limited number and seemingly opportunistic types of victims,” which indicates that SVR is not using the exploit in a similar manner to its SolarWinds campaign.
The first exploitation activity was detected just around the same time that the patch was released, JetBrains says “there is little probability of your instance having been exploited if you immediately upgraded or applied the patch when it was made available.”
Interesting post 💖❤️💚 I invite you to visit, read and comment on my blog. TOGETHER WE GROW 🙏 BLESSINGS 🙏 GREETINGS FROM SPAIN 🇪🇸