A known JetBrains TeamCity vulnerability is now being exploited by two nation-state threat groups as some organizations have yet to patch the critical flaw.
CISA issued a joint government advisory Wednesday to warn users that a Russian advanced persistent threat actor, commonly known as Cozy Bear, is exploiting a TeamCity server bypass authentication vulnerability, tracked as CVE-2023-42793, that was disclosed and patched in September.
It marked the second report on TeamCity exploitation by a nation-state group.
In October, Microsoft and JetBrains disclosed that North Korean threat actors were exploiting CVE-2023-42793 to gain initial access to vulnerable servers.
Both nation-state groups were observed deploying backdoors to maintain persistence on compromised networks.
Cozy Bear, also known as APT29 and Nobelium/Midnight Blizzard, is a hacking group connected to Russia's Foreign Intelligence Service.
The APT group is responsible for several high-profile attacks, including the massive SolarWinds breach, which affected U.S. federal government agencies in 2020.
In addition to confirming that Cozy Bear compromised a few dozen companies since September, the government agencies also said they are aware of more than 100 compromised devices.
CISA revealed that identified victims included an energy trade association, as well as software providers for billing, medical devices, customer care, employee monitoring, financial management, marketing, sales and video games.
CISA said it has not observed Cozy Bear abusing TeamCity access in the same way threat actors used malicious software updates to gain access to SolarWinds customers.
Still, the agency warned that the activity could pose a threat to the supply chain.
Cozy Bear is known to conduct spear phishing attacks and to target organizations across several sectors including education, government and technology for cyberespionage purposes.
After exploiting the TeamCity vulnerability to gain initial access and escalate privileges, the threat actor was observed using GraphicalProton, a backdoor that uses Microsoft OneDrive and Dropbox to share data with the SVR operator.
In response to Cozy Bear abusing OneDrive and Dropbox, Microsoft revealed that it is taking action to disrupt the large-scale campaign.
The tech giant outlined other indicators of compromise in a series of posts on X, formerly known as Twitter, on Wednesday.
Recent scans by cybersecurity nonprofit The Shadowserver Foundation showed 800 unpatched TeamCity servers remaining worldwide.
In a statement to TechTarget Editorial, a JetBrains spokesperson said 2% of TeamCity instances remain unpatched as of now.
The spokesperson emphasized that the vulnerability only affects on-premises instances of TeamCity and not the cloud version.
In addition to patching, CISA also advised enterprises to implement multifactor authentication, monitor networks, audit log files and validate security controls.
Arielle Waldman is a Boston-based reporter covering enterprise security news.
This Cyber News was published on www.techtarget.com. Publication date: Thu, 14 Dec 2023 22:43:04 +0000