The FBI, NSA, and other collaborating agencies have issued a warning regarding the widespread exploitation of CVE-2023-42793 by cyber actors affiliated with the Russian Foreign Intelligence Service (SVR). These actors, also known as Advanced Persistent Threat 29 (APT 29), Dukes, CozyBear, and NOBELIUM/Midnight Blizzard, have been targeting servers hosting JetBrains TeamCity software since September 2023.
Victims of these attacks span various industries, including software development, marketing, sales, medical devices, billing, employee monitoring, financial management, hosting, tool manufacturing, small and large IT companies, and an energy trade association.
The SVR’s ongoing operation, targeting networks hosting TeamCity servers, exploits the vulnerability identified as CVE-2023-42793. This flaw, impacting versions before 2023.05.4, allowed for authentication bypass in JetBrains TeamCity, potentially resulting in Remote Code Execution (RCE) on TeamCity Server.
TeamCity servers are integral to software development, enabling developers to manage and automate tasks such as development, compilation, testing, and release. Malicious actors, upon gaining access to these servers, can execute various harmful actions, including supply chain attacks, source code retrieval, certificate signing, software deployment disruption, and more.
The CSA highlights malicious activities such as lateral movement, backdoor deployment, privilege escalation, and others aimed at ensuring prolonged access to compromised networks.
JetBrains released a fix for CVE-2023-42793 in mid-September 2023, limiting the SVR’s ability to exploit unpatched TeamCity servers accessible via the internet.
While the SVR’s operations are believed to be in the preparatory phase, access to software developers’ networks provides an opportunity for establishing covert command and control (C2) infrastructure.
Rob Joyce, Director of NSA’s Cybersecurity Directorate, emphasizes the importance of promptly patching systems, implementing mitigations, and utilizing Indicators of Compromise (IOCs) to detect adversary presence and prevent persistent access.