Updated The offensive cyber unit linked to Russia's Foreign Intelligence Service is exploiting the critical vulnerability affecting the JetBrains TeamCity CI/CD server at scale, and has been since September, authorities warn.
Announced in late September, the vulnerability, tracked as CVE-2023-42793 with a 9.8 severity score, can be seen as analogous to the one that facilitated the 2020 attack on SolarWinds - which claimed more than 18,000 victims.
The exploit in TeamCity could give attackers enough access to manipulate a software's source code, sign certificates, and compile and deploy processes, the advisory says.
Although SVR has reportedly exploited servers since September, authorities have not gathered evidence to suggest they have used this access to launch attacks similar to the SolarWinds case.
The evidence suggests the access was used to plant additional backdoors in victim's environments after attackers escalated their privileges and moved laterally around compromised networks.
North Korea is continually looking for opportunities in this area, recent reports revealed, and the country's state-sponsored attackers were among the first to be observed exploiting CVE-2023-42793.
The authorities warned that although SolarWinds-like attacks have not yet been carried out as a result of the SVR's TeamCity exploitation, they believe attackers are still in a preparatory phase and that more serious attacks may come further down the line.
Currently, the SVR's priorities appear to be establishing a foothold in victims' environments and deploying command and control infrastructure that's difficult to detect - a sign of attackers laying the groundwork for future operations.
Legitimate services like Dropbox have been used to mask the SVR's C2 traffic and malware-related data passing through these were obfuscated inside randomly generated BMP files.
Attackers were also spotted abusing OneDrive for the same purposes, but Microsoft has since confirmed this was disrupted.
This activity was spotted with the SVR's use of the GraphicalProton backdoor, which itself was wrapped in numerous layers of encryption, obfuscation, encoders, and stagers.
The malware has remained largely unchanged in the months since the authorities began tracking it.
Other post-exploitation activity has involved the deployment of the Mimikatz toolkit, enumerating victims' Active Directories, disabling antivirus and EDR tools, and more.
The advisory contains an extensive list of recommended mitigations and indicators of compromise to help potential victims uncover any undetected activity.
Telemetry from Shadowserver indicates that nearly 800 TeamCity instances remain vulnerable to CVE-2023-42793 exploits as of this week, despite patches released by JetBrains in late September.
The authorities say the attempts to exploit TeamCity on a large scale fit in with the country's broad objectives in cyberspace, which have remained largely unchanged for the past ten years.
For the past decade, the SVR has primarily relied on spear phishing methods to steal political, economic, scientific, and technological foreign intelligence.
The authorities also say it's less common for the SVR to steal information by exploiting vulnerabilities and breaking into targets' systems, though the group has extensive experience in the area.
Among the examples the agency cites is the 2020 case in which the SVR targeted organizations involved in the development of COVID-19 vaccines using the custom malware WellMess, WellMail, and Sorefang.
It also cites SolarWinds, an attack that Microsoft's Brad Smith famously branded the most sophisticated in history, the attribution for which didn't come until the following year.
This Cyber News was published on go.theregister.com. Publication date: Thu, 14 Dec 2023 14:43:05 +0000