Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally>
Cyber & Infrastructure Security Agency – US-CERT
Here are the key points from the advisory:
– Russian Foreign Intelligence Service (SVR, also known as APT29) is exploiting a vulnerability (CVE-2023-42793) in JetBrains TeamCity software to gain initial access to victim networks since September 2023\)
– The vulnerability allows bypassing authorization and arbitrary code execution on unpatched, internet-facing TeamCity servers.
SVR is opportunistically targeting a wide range of victim organizations.
– After initial access, SVR conducts host and network reconnaissance, privilege escalation, persistence mechanisms, credential theft, and data exfiltration using various open source and custom tools.
– Tools used include GraphicalProton backdoor (with variants), modified Rsockstun tunnel, Mimikatz, PowerSploit, and more.
GraphicalProton communicates via OneDrive/Dropbox and randomly generated BMP files.
– Mitigations recommended are patching the vulnerability, enabling MFA, updating software/firmware, deploying anti-virus/EDR, hardening authentication, and monitoring for SVR behaviors mapped to MITRE ATT&CK techniques.
– Indicators provided include GraphicalProton, backdoored files, network endpoints, and exploitation server IP to aid detection and hunting of SVR activity in environments.
In summary, the advisory details an ongoing SVR campaign exploiting TeamCity, and provides technical details on their tactics and recommended defenses to detect and prevent compromise.
Link: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a