CyberSecurityBoard
Sponsor Register Login

Russian Cyberspies Exploiting TeamCity Vulnerability at Scale: Government Agencies

The Russian cyberespionage group known as APT29 has been exploiting a recent TeamCity vulnerability on a large scale since September 2023, according to government agencies in the US, UK, and Poland.
The issue, tracked as CVE-2023-42793 and impacting on-premises TeamCity instances, is described as an authentication bypass that can be exploited without user interaction to steal sensitive information and take over vulnerable servers.
Exploitation of the bug started days after patches were released in late September, with several ransomware groups observed targeting CVE-2023-42793.
By the end of October, North Korean state-sponsored threat actors were also exploiting the flaw.
Now, government agencies in the US, the UK, and Poland reveal that at least one Russian nation-state actor has been exploiting the vulnerability in cyberattacks since September.
The hacking group, tracked as APT29, CozyBear, the Dukes, Midnight Blizzard, Nobelium, and Yttrium, is believed to be sponsored by the Russian Foreign Intelligence Service, and was previously blamed for the 2016 US election hack, the 2020 SolarWinds attack, and various other high-profile attacks.
As part of the observed attacks, APT29 exploited CVE-2023-42793 to execute code with high privileges and gain a foothold on the target environments.
Next, the attackers performed reconnaissance, exfiltrated files, disabled EDR and anti-virus software, established persistence, and moved to exfiltrate sensitive data.
The cyberespionage group was observed using multiple custom and open source tools and backdoors, such as the GraphicalProton malware, which was initially detailed in July 2023.
TeamCity is used by software developers to manage and automate their processes.
Compromised TeamCity servers could be useful for supply chain attacks, such as the one aimed at SolarWinds.
On the same day that the joint advisory was released, Fortinet published a technical analysis of an APT29 attack, which targeted a US organization in the biomedical manufacturing sector, pointing out that it has observed multiple threat actors attempting to exploit the vulnerable environment.
Organizations are advised to review JetBrains' advisory on CVE-2023-42793, update their TeamCity instances to a patched release, and review the indicators-of-compromise released by the US, UK, and Polish agencies and Fortinet to hunt for malicious activity in their environments.


This Cyber News was published on www.securityweek.com. Publication date: Thu, 14 Dec 2023 11:43:06 +0000


Cyber News related to Russian Cyberspies Exploiting TeamCity Vulnerability at Scale: Government Agencies

Russian Cyberspies Exploiting TeamCity Vulnerability at Scale: Government Agencies - The Russian cyberespionage group known as APT29 has been exploiting a recent TeamCity vulnerability on a large scale since September 2023, according to government agencies in the US, UK, and Poland. The issue, tracked as CVE-2023-42793 and impacting ...
6 months ago Securityweek.com
TeamCity Intrusion Saga: APT29 Suspected Among the Attackers Exploiting CVE-2023-42793 - As part of this analysis, we look at threat actor TTPs employed throughout the intrusion and how they were identified and pieced together by the FortiGuard IR team. The following section of this report focuses on the activities of one of these threat ...
6 months ago Feeds.fortinet.com
Russian APT exploiting JetBrains TeamCity vulnerability - A known JetBrains TeamCity vulnerability is now being exploited by two nation-state threat groups as some organizations have yet to patch the critical flaw. CISA issued a joint government advisory Wednesday to warn users that a Russian advanced ...
6 months ago Techtarget.com
Echoes of SolarWinds: JetBrains TeamCity servers under attack by Russia-backed hackers - The SolarWinds hackers are infiltrating JetBrains TeamCity servers via a critical vulnerability enabling authorization bypass and arbitrary code execution, government officials warn. Russian Foreign Intelligence Service-backed threat actor CozyBear ...
6 months ago Packetstormsecurity.com
How Government Agencies Can Leverage Grants to Shore Up Cybersecurity - COMMENTARY. Since the pandemic forced unprecedented adoption of remote access and delivery of government services, telehealth, and education, cybersecurity has rapidly shot to the top of priority lists for IT leaders. What was once a shiny object ...
1 month ago Darkreading.com
Accelerating Safe and Secure AI Adoption with ATO for AI: stackArmor Comments on OMB AI Memo - We appreciate the opportunity to comment on the proposed Memo on Agency Use of Artificial Intelligence. Ensuring agencies have access to adequate IT infrastructure,. We base our remarks on our experience helping US Federal agencies transform their ...
6 months ago Securityboulevard.com
CISA: Russian hackers target TeamCity servers since September - CISA and partner cybersecurity agencies and intelligence services warned that the APT29 hacking group linked to Russia's Foreign Intelligence Service has been targeting unpatched TeamCity servers in widespread attacks since September 2023. APT29 is ...
6 months ago Bleepingcomputer.com
How Cloud Solutions Can Lead to Stronger, More Secure IT Operations - Cloud services, which offer tools such as networks, servers, and data storage, can help federal agencies deliver better IT services while minimizing costs. Without adequate security measures, these services can expose agencies to cyberattacks. The ...
3 months ago Cyberdefensemagazine.com
Russian Hackers Exploiting JetBrains Vulnerability to Hack Servers - The Federal Bureau of Investigation, the National Security Agency, and other co-authoring agencies have issued a warning that Russian Foreign Intelligence Service cyber actors are widely exploiting CVE-2023-42793, aiming their attacks at servers that ...
6 months ago Gbhackers.com
Russian military hackers target NATO fast reaction corps - Russian APT28 military hackers used Microsoft Outlook zero-day exploits to target multiple European NATO member countries, including a NATO Rapid Deployable Corps. Researchers from Palo Alto Networks' Unit 42 have observed them exploiting the ...
6 months ago Bleepingcomputer.com
Russian hackers target unpatched JetBrains TeamCity servers - Russian state-sponsored hackers have been exploiting CVE-2023-42793 to target unpatched, internet-facing JetBrains TeamCity servers since September 2023, US, UK and Polish cybersecurity and law enforcement authorities have warned. APT 29, believed to ...
6 months ago Helpnetsecurity.com
TeamCity Software Vulnerability Exploited Globally - Over the past few days a security breach has transpired, hackers are taking advantage of a significant flaw in TeamCity On-Premises software, allowing them to create unauthorised admin accounts. This flaw, known as CVE-2024-27198, has prompted urgent ...
3 months ago Cysecurity.news
Lawmakers: Ban TikTok to Stop Election Misinformation! Same Lawmakers: Restrict How Government Addresses Election Misinformation! - In a case being heard Monday at the Supreme Court, 45 Washington lawmakers have argued that government communications with social media sites about possible election interference misinformation are illegal. Just this week the vast majority of those ...
3 months ago Eff.org
What Should We Expect for State and Local Government IT Priorities in 2024? - As we wrap up 2023, it is a great time to reflect on the current state of technology in state and local governments and look ahead to the priorities for the coming year. Maintaining the security of networks and the data they carry continues to be the ...
6 months ago Feedpress.me
Majority of Gao's Cybersecurity Recommendations Not Implemented by Federal Agencies - The Government Accountability Office has recently reported that federal agencies have been slow to implement a majority of the recommendations it made for improving the cybersecurity of federal agencies. Despite the implementation progress at some ...
1 year ago Securityweek.com
Global TeamCity Exploitation Opens Door to SolarWinds-Style Nightmare - APT29, the notorious Russian advanced persistent threat behind the 2020 SolarWinds hack, is actively exploiting a critical security vulnerability in JetBrains TeamCity that could open the door to rampant software supply chain attacks. According to ...
6 months ago Darkreading.com
Russia is exploiting JetBrains TeamCity users at large scale The Register - Updated The offensive cyber unit linked to Russia's Foreign Intelligence Service is exploiting the critical vulnerability affecting the JetBrains TeamCity CI/CD server at scale, and has been since September, authorities warn. Announced in late ...
6 months ago Go.theregister.com
FSB arrests Russian hackers working for Ukrainian cyber forces - The Russian Federal Security Service arrested two individuals believed to have helped Ukrainian forces carry out cyberattacks to disrupt Russian critical infrastructure targets. Both suspects were taken into custody one same day in two different ...
7 months ago Bleepingcomputer.com
Dozens of Rogue California Police Agencies Still Sharing Driver Locations with Anti-Abortion States - SAN FRANCISCO-California Attorney General Rob Bonta should crack down on police agencies that still violate Californians' privacy by sharing automated license plate reader information with out-of-state government agencies, putting abortion seekers ...
5 months ago Eff.org
Ukraine says it hacked Russian aviation agency, leaks data - Ukraine's intelligence service, operating under the Defense Ministry, claims they hacked Russia's Federal Air Transport Agency, 'Rosaviatsia,' to expose a purported collapse of Russia's aviation sector. Rosaviatsia is the agency responsible for ...
7 months ago Bleepingcomputer.com
Russian hackers stole Microsoft corporate emails in month-long breach - Microsoft disclosed Friday night that some of its corporate email accounts were breached and data stolen by the Russian state-sponsored hacking group Midnight Blizzard. The company detected the attack on January 12th, with Microsoft initiating its ...
5 months ago Bleepingcomputer.com
Russian hackers stole Microsoft corporate emails in month-long breach - Microsoft disclosed Friday night that some of its corporate email accounts were breached and data stolen by the Russian state-sponsored hacking group Midnight Blizzard. The company detected the attack on January 12th, with Microsoft initiating its ...
5 months ago Bleepingcomputer.com
North Korean hackers exploit critical TeamCity flaw to breach networks - Microsoft says that the North Korean Lazarus and Andariel hacking groups are exploiting the CVE-2023-42793 flaw in TeamCity servers to deploy backdoor malware, likely to conduct software supply chain attacks. In September, TeamCity fixed a critical ...
7 months ago Bleepingcomputer.com
US Government on High Alert as Russian Hackers Steal Critical Correspondence From Microsoft - The US cybersecurity agency CISA on Thursday issued an emergency directive mandating that all federal agencies immediately hunt for signs of a known Russian APT that broke into Microsoft's corporate network and pivoted to steal sensitive ...
2 months ago Securityweek.com
JetBrains warns of new TeamCity auth bypass vulnerability - JetBrains urged customers today to patch their TeamCity On-Premises servers against a critical authentication bypass vulnerability that can let attackers take over vulnerable instances with admin privileges. Tracked as CVE-2024-23917, this critical ...
4 months ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)