Microsoft says that the North Korean Lazarus and Andariel hacking groups are exploiting the CVE-2023-42793 flaw in TeamCity servers to deploy backdoor malware, likely to conduct software supply chain attacks. In September, TeamCity fixed a critical 9.8/10 vulnerability tracked as CVE-2023-42793 that allowed unauthenticated attackers to remotely execute code. While TeamCity quickly fixed the vulnerability, threat actors, such as ransomware gangs, began to exploit the flaw to breach corporate networks. In a new report, Microsoft's Threat intelligence team says that the Lazarus and Andariel hacking groups have been observed exploiting CVE-2023-42793 to breach TeamCity servers. While Microsoft has not said the ultimate goal of these attacks, they believe it could be to conduct software supply chain attacks. "In past operations, Diamond Sleet and other North Korean threat actors have successfully carried out software supply chain attacks by infiltrating build environments," explains Microsoft. Once the threat actors breach a TeamCity server, they utilize different attack chains to deploy backdoors and gain persistence on the compromised network. Lazarus was seen deploying the ForestTiger malware in one attack chain, which is used as a backdoor for executing commands on the breached server. A second attack chain uses DLL search order hijacking attacks to launch a malware loader called FeedLoad, which installs a remote access Trojan. Ariel uses a more hands-on approach in their attacks, creating a 'krtbgt' admin account on the breached server and running commands to gather system information. Regardless of how the attacks are conducted, Microsoft says that the hackers ultimately dump credentials from LSASS, likely used to spread laterally on the compromised network. Microsoft has shared more technical details for all three of the observed attack chains, including indicators of compromise. Both Lazarus and Andariel are state-sponsored North Korean hacking groups, with Andariel a subgroup of Lazarus. While the groups' attacks are used to benefit the North Korean government, their goals can be different. Lazarus has been linked to various espionage, data theft, and financial gain attacks, including targeting security researchers, trojanizing open-source crypto platforms, performing massive cryptocurrency heists, and conducting fake job interviews to distribute malware. On the other hand, Andariel targets defense and IT services entities in South Korea, the United States, and India to conduct cyber espionage, data theft, destructive attacks, and ransomware attacks. Ransomware gangs now exploiting critical TeamCity RCE flaw. Lazarus hackers breach aerospace firm with new LightlessCan malware. Lazarus hackers deploy fake VMware PyPI packages in VMConnect attacks. Hackers use public ManageEngine exploit to breach internet org.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000