CISA and partner cybersecurity agencies and intelligence services warned that the APT29 hacking group linked to Russia's Foreign Intelligence Service has been targeting unpatched TeamCity servers in widespread attacks since September 2023.
APT29 is known for breaching several U.S. federal agencies following the SolarWinds supply-chain attack they orchestrated three years ago.
They also targeted the Microsoft 365 accounts of multiple entities within NATO countries as part of their efforts to access foreign policy-related information and were linked to a series of phishing campaigns aimed at governments, embassies, and high-ranking officials across Europe.
The TeamCity security flaw they're exploiting in these attacks is identified as CVE-2023-42793 and rated with a critical severity score of 9.8/10, which unauthenticated threat actors can exploit in low-complexity remote code execution attacks that don't require user interaction.
Researchers from the Swiss security firm Sonar, who discovered and reported the flaw, also published technical details a week after JetBrains released TeamCity 2023.05.4 on September 21st to address the critical issue.
Security researchers at nonprofit internet security outfit Shadowserver Foundation are tracking almost 800 unpatched TeamCity servers that are vulnerable to attacks.
Also exploited by ransomware gangs and North Korean hackers.
In early October, several ransomware gangs were already exploiting the vulnerability to breach corporate networks, according to threat intelligence companies GreyNoise and PRODAFT. GreyNoise detected attacks from 56 different IP addresses as part of coordinated efforts aimed at breaching TeamCity servers left unpatched.
Two days earlier, the company also cautioned there's a high likelihood that organizations that neglected to secure their servers before September 29th have already been breached.
Microsoft later said that the Lazarus and Andariel North Korean state-backed hacking groups were backdooring victims' networks using CVE-2023-42793 exploits, likely in preparation for software supply chain attacks.
JetBrains says developers use its TeamCity software building and testing platform at over 30,000 organizations worldwide, including high-profile ones like Citibank, Ubisoft, HP, Nike, and Ferrari.
Russian hackers use Ngrok feature and WinRAR exploit to attack embassies.
Ukrainian military says it hacked Russia's federal tax agency.
Russian military hackers target NATO fast reaction corps.
UK and allies expose Russian FSB hacking group, sanction members.
Russian hackers exploiting Outlook bug to hijack Exchange accounts.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 13 Dec 2023 18:05:27 +0000