CyberSecurityBoard
Sponsor Register Login

Echoes of SolarWinds: JetBrains TeamCity servers under attack by Russia-backed hackers

The SolarWinds hackers are infiltrating JetBrains TeamCity servers via a critical vulnerability enabling authorization bypass and arbitrary code execution, government officials warn.
Russian Foreign Intelligence Service-backed threat actor CozyBear has been exploiting the bug tracked as CVE-2023-42793 since September, according to a joint advisory from CISA, the FBI, the NSA and international partners.
A patch was made available on Sept. 18 in TeamCity version 2023.05.4.
The critical vulnerability enables unauthenticated attackers to gain administrator access to TeamCity servers and achieve remote code execution without the need for user interaction, according to SonarSource.
SonarSource first discovered the flaw in on-premises TeamCity servers and disclosed the details publicly on Sept. 26.
TeamCity servers are Continuous Integration and Continuous Deployment servers many software companies use to manage and automate software development processes like building, testing and releasing.
More than 30,000 JetBrains customers use TeamCity servers, and more than 3,000 on-premises servers were directly exposed to the internet when the bug was discovered, SonarSource said.
CozyBear hackers use JetBrains security flaw to compromise dozens of companies.
The Russia-backed cybergang CozyBear, which conducted the massive SolarWinds supply chain attack in 2020, has compromised dozens of companies and more than a hundred devices by exploiting the JetBrains TeamCity flaw, officials said.
Companies in the United States, Europe, Asia and Australia have been affected.
The joint government advisory states identified victims include companies that provide software for billing, financial management, sales, marketing, customer care, employee monitoring, medical devices and video games.
The attackers also compromised small and large IT companies and an energy trade association, according to the advisory.
CozyBear was seen using the Mimikatz tool to steal credentials from the Windows Registry and escalate privileges on compromised systems.
JetBrains updated its blog on Thursday notifying customers about the exploitation and reiterating recommendations to update on-premises TeamCity servers to version 2023.05.4 or later.
Shadowserver, a nonprofit organization that tracks and analyzes malicious web activity, said on Wednesday it detected 800 unpatched instances of JetBrains TeamCity across the globe.
SolarWinds hack heightens supply chain attack worries.
SVR and CozyBear pulled off the notorious SolarWinds attack by leveraging access to the source code and trusted certificates of SolarWinds' Orion software.
The hackers injected its SUNBURST/Solorigate malware in Orion software updates to stealthily spread the malware backdoor to SolarWind's enterprise customers.
The advisory by CISA and partners notes that SolarWinds-like access to source code and certificates can be achieved by exploiting the JetBrains TeamCity vulnerability.
Services like TeamCity remain a prime target for threat actors working for foreign intelligence agencies.


This Cyber News was published on packetstormsecurity.com. Publication date: Fri, 15 Dec 2023 15:43:04 +0000


Cyber News related to Echoes of SolarWinds: JetBrains TeamCity servers under attack by Russia-backed hackers

Echoes of SolarWinds: JetBrains TeamCity servers under attack by Russia-backed hackers - The SolarWinds hackers are infiltrating JetBrains TeamCity servers via a critical vulnerability enabling authorization bypass and arbitrary code execution, government officials warn. Russian Foreign Intelligence Service-backed threat actor CozyBear ...
9 months ago Packetstormsecurity.com
JetBrains, Rapid7 clash over vulnerability disclosure policies - A dispute between software maker JetBrains and security vendor Rapid7 has highlighted ongoing concerns with coordinated vulnerability disclosure policies and practices. On March 4, JetBrains disclosed two critical vulnerabilities tracked as ...
6 months ago Techtarget.com
CISOs on alert following SEC charges against SolarWinds - While the outcome of the Security and Exchange Commission's complaint against SolarWinds remains to be seen, infosec experts say the charges are likely to have a major impact on the role of the CISO going forward. In late October, the SEC charged ...
8 months ago Techtarget.com
Threat Groups Rush to Exploit JetBrains' TeamCity CI/CD Security Flaws - The cyberthreats to users of JetBrains' TeamCity CI/CD platform continue to mount a week after the company issued two fixes to security vulnerabilities, with one cybersecurity vendor noting a ransomware attack that included exploiting the flaws for ...
6 months ago Securityboulevard.com
TeamCity Intrusion Saga: APT29 Suspected Among the Attackers Exploiting CVE-2023-42793 - As part of this analysis, we look at threat actor TTPs employed throughout the intrusion and how they were identified and pieced together by the FortiGuard IR team. The following section of this report focuses on the activities of one of these threat ...
9 months ago Feeds.fortinet.com
CISA: Russian hackers target TeamCity servers since September - CISA and partner cybersecurity agencies and intelligence services warned that the APT29 hacking group linked to Russia's Foreign Intelligence Service has been targeting unpatched TeamCity servers in widespread attacks since September 2023. APT29 is ...
9 months ago Bleepingcomputer.com
NATO Draws a Cyber Red Line in Tensions With Russia - There has long been a military red line that NATO says Russia must not cross. Germany took a very strong diplomatic position, summoning Russia's representative, and then recalling its own Russian ambassador for talks. This is clearly a strong and ...
4 months ago Securityweek.com
NATO Draws a Cyber Red Line in Tensions With Russia - There has long been a military red line that NATO says Russia must not cross. Germany took a very strong diplomatic position, summoning Russia's representative, and then recalling its own Russian ambassador for talks. This is clearly a strong and ...
4 months ago Packetstormsecurity.com
Global TeamCity Exploitation Opens Door to SolarWinds-Style Nightmare - APT29, the notorious Russian advanced persistent threat behind the 2020 SolarWinds hack, is actively exploiting a critical security vulnerability in JetBrains TeamCity that could open the door to rampant software supply chain attacks. According to ...
9 months ago Darkreading.com
Russian APT exploiting JetBrains TeamCity vulnerability - A known JetBrains TeamCity vulnerability is now being exploited by two nation-state threat groups as some organizations have yet to patch the critical flaw. CISA issued a joint government advisory Wednesday to warn users that a Russian advanced ...
9 months ago Techtarget.com
TeamCity Software Vulnerability Exploited Globally - Over the past few days a security breach has transpired, hackers are taking advantage of a significant flaw in TeamCity On-Premises software, allowing them to create unauthorised admin accounts. This flaw, known as CVE-2024-27198, has prompted urgent ...
6 months ago Cysecurity.news
Cyber Insights 2023: The Geopolitical Effect - The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs. The Russia/Ukraine war that started in early 2022 has been mirrored by a ...
1 year ago Securityweek.com
Russia is exploiting JetBrains TeamCity users at large scale The Register - Updated The offensive cyber unit linked to Russia's Foreign Intelligence Service is exploiting the critical vulnerability affecting the JetBrains TeamCity CI/CD server at scale, and has been since September, authorities warn. Announced in late ...
9 months ago Go.theregister.com
JetBrains warns of new TeamCity auth bypass vulnerability - JetBrains urged customers today to patch their TeamCity On-Premises servers against a critical authentication bypass vulnerability that can let attackers take over vulnerable instances with admin privileges. Tracked as CVE-2024-23917, this critical ...
7 months ago Bleepingcomputer.com
Adapting to the Post-SolarWinds Era: Supply Chain Security in 2024 - COMMENTARY. In December 2020, the SolarWinds attack sent shockwaves around the world. Attackers gained unauthorized access to SolarWinds' software development environment, injected malicious code into Orion platform updates, and created a backdoor ...
9 months ago Darkreading.com
SolarWinds Files Motion to Dismiss SEC Lawsuit - In a new filing with the US Southern District Court of New York, SolarWinds argued that the Securities and Exchange Commission was outside of its depth of expertise as well as its scope of authority in charging SolarWinds and its chief information ...
7 months ago Darkreading.com
Russian Hackers Exploiting JetBrains Vulnerability to Hack Servers - The Federal Bureau of Investigation, the National Security Agency, and other co-authoring agencies have issued a warning that Russian Foreign Intelligence Service cyber actors are widely exploiting CVE-2023-42793, aiming their attacks at servers that ...
9 months ago Gbhackers.com
JetBrains vulnerability exploitation highlights debate over 'silent patching' - Czech software giant JetBrains harshly criticized security company Rapid7 this week following a dispute over two recently-discovered vulnerabilities. In a blog post published Monday, JetBrains attributed the compromise of several customers' servers ...
6 months ago Therecord.media
Weekly Vulnerability Recap 3/11/24: JetBrains & Atlassian Issues - This past week, both JetBrains TeamCity and Atlassian Confluence products have run into more hiccups as their string of vulnerabilities continues. JetBrains and Atlassian users should pay special attention since vulnerabilities continue cropping up ...
6 months ago Esecurityplanet.com
Ukrainian military says it hacked Russia's federal tax agency - The Ukrainian government's military intelligence service says it hacked the Russian Federal Taxation Service, wiping the agency's database and backup copies. Following this operation, carried out by cyber units within Ukraine's Defense Intelligence, ...
9 months ago Bleepingcomputer.com
Russian hackers target unpatched JetBrains TeamCity servers - Russian state-sponsored hackers have been exploiting CVE-2023-42793 to target unpatched, internet-facing JetBrains TeamCity servers since September 2023, US, UK and Polish cybersecurity and law enforcement authorities have warned. APT 29, believed to ...
9 months ago Helpnetsecurity.com
Ukraine says it hacked Russian aviation agency, leaks data - Ukraine's intelligence service, operating under the Defense Ministry, claims they hacked Russia's Federal Air Transport Agency, 'Rosaviatsia,' to expose a purported collapse of Russia's aviation sector. Rosaviatsia is the agency responsible for ...
9 months ago Bleepingcomputer.com
North Korean hackers exploit critical TeamCity flaw to breach networks - Microsoft says that the North Korean Lazarus and Andariel hacking groups are exploiting the CVE-2023-42793 flaw in TeamCity servers to deploy backdoor malware, likely to conduct software supply chain attacks. In September, TeamCity fixed a critical ...
9 months ago Bleepingcomputer.com
JetBrains releases security fixes for TeamCity CI/CD system - Two critical security vulnerabilities discovered by Rapid7 could allow an attacker to gain administrative control of TeamCity On-Premises servers. Editor at Large, InfoWorld| Mar 12, 2024 10:25 am PDT. JetBrains has released fixes for two critical ...
6 months ago Infoworld.com
Recent TeamCity Vulnerability Exploited in Ransomware Attacks - A TeamCity vulnerability disclosed recently in controversial circumstances is being exploited in ransomware attacks, according to the product's developer and cybersecurity companies. On March 4, JetBrains, the developer of the TeamCity build ...
6 months ago Securityweek.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)