APT29, the notorious Russian advanced persistent threat behind the 2020 SolarWinds hack, is actively exploiting a critical security vulnerability in JetBrains TeamCity that could open the door to rampant software supply chain attacks.
According to the feds, the exploitation of the issue, tracked as CVE-2023-42793, started in September after JetBrains patched the flaw and Rapid7 released a public proof-of-concept exploit for it; but now, it has grown to be a worrying global phenomenon that could result in widespread damage.
The affected platform is a software development lifecycle management tool, which houses everything from source code to signing certificates.
Successful incursions could give cyberattackers access to that valuable data, but could also provide a way to alter software compilations and deployment processes - raising the possibility that another SolarWinds-type attack wave could be in the offing.
Persistent TeamCity Backdoors Withstand Patching In the SolarWinds incident, APT29 was able to stow away on legitimate SolarWinds software updates, landing automatically on legions of victim networks.
From the 18,000 compromised, the group cherry-picked targets for second-wave incursions, successfully infiltrating several US government agencies and tech companies including Microsoft and FireEye.
For now, the TeamCity attacks have not yet gone that far.
If you're a nation-state threat looking for prime lurking opportunities, one of the benefits of using the exploit is the fact that patching alone won't mitigate the danger.
According to Shadowserver, there are at first glance at least 800 unpatched TeamCity software instances worldwide exposed to the Internet; it's unclear how many instances have been patched but may remain compromised.
Of course, that number doesn't take into account unexposed instances that are reachable by sophisticated adversaries with prior access to corporate networks.
Flurry of APTs Target Developers Through CVE-2023-42793 APT29 is not the only state-sponsored cyberthreat to take notice of the tantalizing prizes on offer in vulnerable TeamCity instances.
In October, Microsoft's Threat Intelligence Center pointed to several North Korea-backed APTs, including Lazarus Group and its offshoot Andariel, using the TeamCity vuln to install persistent backdoors.
In some cases, there is more than one Big Bad at work.
From there, conducting active threat hunting based on the IoCs to uncover and remove persistent backdoors should be a top priority, according to Fortinet and Microsoft, both of which offer exhaustive guidance on that front.
Both the TeamCity server and build agents should be vetted for signs of trouble.
JetBrains, in its CVE-2023-42793 security advisory, recommended that any publicly accessible servers be removed from the reach of the Internet while teams carry out patching and compromise investigations.
This Cyber News was published on www.darkreading.com. Publication date: Wed, 13 Dec 2023 23:30:17 +0000