TeamCity Intrusion Saga: APT29 Suspected Among the Attackers Exploiting CVE-2023-42793

As part of this analysis, we look at threat actor TTPs employed throughout the intrusion and how they were identified and pieced together by the FortiGuard IR team.
The following section of this report focuses on the activities of one of these threat actors distinct from other threat actor activities.
' A description of the activities conducted by other threat actors exploiting this vulnerability is covered more extensively in the following 'Other Threat Actors Activity' section.
The first activity attributed to the main threat actor was the execution of an echo command like those discussed above, indicating that the main threat actor likely employed Nuclei to identify potential victims.
As part of this exploitation, the main threat actor used the TeamCity exploit to install an SSH certificate, which they then used to maintain access in this second victim's environment.
After successfully downloading this DLL file on the HOST 1 TEAMCITY, the main threat actor again used the TeamCity RCE vulnerability to create a Windows-scheduled task referencing this DLL file.
While this tooling is confidently linked to APT29 or BlueBravo, the victimology and initial access vector employed by the main threat actor throughout earlier stages of this intrusion does not align with currently reported APT29 campaigns.
While the IR team could not attribute this activity to APT29 with high confidence, associated threat intelligence was used to focus our investigation further.
These exceptions removed the constraints around the adversary's ability to fully employ their TeamCity exploitation, allowing the main threat actor to continue their execution unrestricted by FortiEDR. After these exceptions were set, the main threat actor was able to successfully dump the registry of the Windows host HOST 1 TEAMCITY to gain access to local user credentials.
At this stage, the main threat actor continued to employ their TeamCity exploit for execution, trying alternative techniques to establish a more robust foothold on the HOST 1 TEAMCITY. They used their access to create a Windows account, 'oldadministrator', added the newly created account to the local administrators group, and made the account a special account by adding it to the registry path 'NTCurrentVersionWinlogonSpecialAccountsUserlist' with the DWORD value 0.
Removing TeamCity software accounts created by threat actors.
In addition to the main threat actor, there were other threat actors who exploited the TeamCity vulnerability.
One of these threat actors used their RCE access through the exploit to create a new TeamCity user via the TeamCity API. They then added the 'System administrator' role to this newly created user account.
Another threat actor used their TeamCity exploit to download and execute the installer for legitimate remote access software AnyDesk on the HOST 1 TEAMCITY. The AnyDesk software was installed with the '-start-with-win' parameter, making it auto-start on boot.
FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.
The following Threat Hunting query will search for an event where a particular task creation was being verified by the threat actor.
The following Threat Hunting query will search for an event where TeamCity process creates a process of Windows task management utility.
The threat actor(s) performed vulnerability scans using Nuclei to check if the TeamCity server was vulnerable for CVE-2023-42793.
The threat actor(s) exploited the vulnerability CVE-2023-42793 of the public-facing TeamCity software host.
The threat actor(s) used the Windows Management Instrumentation command-line utility from HOST 1 TEAMCITY to connect to multiple other hosts for lateral movement.


This Cyber News was published on feeds.fortinet.com. Publication date: Wed, 13 Dec 2023 17:43:24 +0000


Cyber News related to TeamCity Intrusion Saga: APT29 Suspected Among the Attackers Exploiting CVE-2023-42793

TeamCity Intrusion Saga: APT29 Suspected Among the Attackers Exploiting CVE-2023-42793 - As part of this analysis, we look at threat actor TTPs employed throughout the intrusion and how they were identified and pieced together by the FortiGuard IR team. The following section of this report focuses on the activities of one of these threat ...
1 year ago Feeds.fortinet.com
Russian Cyberspies Exploiting TeamCity Vulnerability at Scale: Government Agencies - The Russian cyberespionage group known as APT29 has been exploiting a recent TeamCity vulnerability on a large scale since September 2023, according to government agencies in the US, UK, and Poland. The issue, tracked as CVE-2023-42793 and impacting ...
1 year ago Securityweek.com
Global TeamCity Exploitation Opens Door to SolarWinds-Style Nightmare - APT29, the notorious Russian advanced persistent threat behind the 2020 SolarWinds hack, is actively exploiting a critical security vulnerability in JetBrains TeamCity that could open the door to rampant software supply chain attacks. According to ...
1 year ago Darkreading.com
Russian APT exploiting JetBrains TeamCity vulnerability - A known JetBrains TeamCity vulnerability is now being exploited by two nation-state threat groups as some organizations have yet to patch the critical flaw. CISA issued a joint government advisory Wednesday to warn users that a Russian advanced ...
1 year ago Techtarget.com
CISA: Russian hackers target TeamCity servers since September - CISA and partner cybersecurity agencies and intelligence services warned that the APT29 hacking group linked to Russia's Foreign Intelligence Service has been targeting unpatched TeamCity servers in widespread attacks since September 2023. APT29 is ...
1 year ago Bleepingcomputer.com
Echoes of SolarWinds: JetBrains TeamCity servers under attack by Russia-backed hackers - The SolarWinds hackers are infiltrating JetBrains TeamCity servers via a critical vulnerability enabling authorization bypass and arbitrary code execution, government officials warn. Russian Foreign Intelligence Service-backed threat actor CozyBear ...
1 year ago Packetstormsecurity.com
Russia is exploiting JetBrains TeamCity users at large scale The Register - Updated The offensive cyber unit linked to Russia's Foreign Intelligence Service is exploiting the critical vulnerability affecting the JetBrains TeamCity CI/CD server at scale, and has been since September, authorities warn. Announced in late ...
1 year ago Go.theregister.com
JetBrains warns of new TeamCity auth bypass vulnerability - JetBrains urged customers today to patch their TeamCity On-Premises servers against a critical authentication bypass vulnerability that can let attackers take over vulnerable instances with admin privileges. Tracked as CVE-2024-23917, this critical ...
10 months ago Bleepingcomputer.com
North Korean hackers exploit critical TeamCity flaw to breach networks - Microsoft says that the North Korean Lazarus and Andariel hacking groups are exploiting the CVE-2023-42793 flaw in TeamCity servers to deploy backdoor malware, likely to conduct software supply chain attacks. In September, TeamCity fixed a critical ...
1 year ago Bleepingcomputer.com
Russian hackers target unpatched JetBrains TeamCity servers - Russian state-sponsored hackers have been exploiting CVE-2023-42793 to target unpatched, internet-facing JetBrains TeamCity servers since September 2023, US, UK and Polish cybersecurity and law enforcement authorities have warned. APT 29, believed to ...
1 year ago Helpnetsecurity.com
Russian Hackers Exploiting JetBrains Vulnerability to Hack Servers - The Federal Bureau of Investigation, the National Security Agency, and other co-authoring agencies have issued a warning that Russian Foreign Intelligence Service cyber actors are widely exploiting CVE-2023-42793, aiming their attacks at servers that ...
1 year ago Gbhackers.com
TeamCity Software Vulnerability Exploited Globally - Over the past few days a security breach has transpired, hackers are taking advantage of a significant flaw in TeamCity On-Premises software, allowing them to create unauthorised admin accounts. This flaw, known as CVE-2024-27198, has prompted urgent ...
9 months ago Cysecurity.news
TeamViewer says Russia's 'Cozy Bear' hackers attacked corporate IT system - Software company TeamViewer confirmed on Friday that a prolific Russian hacking group breached its corporate IT environment earlier in the week. In an updated statement, the company attributed a recently announced incident to APT29, also known as ...
5 months ago Therecord.media
TeamViewer says Russia's 'Cozy Bear' hackers attacked corporate IT system - Software company TeamViewer confirmed on Friday that a prolific Russian hacking group breached its corporate IT environment earlier in the week. In an updated statement, the company attributed a recently announced incident to APT29, also known as ...
5 months ago Therecord.media
Russian hackers use Ngrok feature and WinRAR exploit to attack embassies - After Sandworm and APT28, another state-sponsored Russian hacker group, APT29, is leveraging the CVE-2023-38831 vulnerability in WinRAR for cyberattacks. APT29 is tracked under different names and has been targeting embassy entities with a BMW car ...
1 year ago Bleepingcomputer.com
CISA orders agencies impacted by Microsoft hack to mitigate risks - CISA has issued a new emergency directive ordering U.S. federal agencies to address risks resulting from the breach of multiple Microsoft corporate email accounts by the Russian APT29 hacking group. It requires them to investigate potentially ...
8 months ago Bleepingcomputer.com
BianLian GOs for PowerShell After TeamCity Exploitation - In conjunction with GuidePoint's DFIR team, we responded to an incident that began with the exploitation of a TeamCity server which resulted in the deployment of a PowerShell implementation of BianLian's GO backdoor. The threat actor identified a ...
9 months ago Securityboulevard.com
Best of 2023: Diamond Model of Intrusion Analysis: A Quick Guide - Any intrusion into a network calls for a thorough analysis to give security teams cyber intelligence about different threats and to help thwart similar future attacks. Effective incident analysis has long been held back by uncertainty and high false ...
11 months ago Securityboulevard.com
TeamViewer: Hackers copied employee directory data and encrypted passwords - Software company TeamViewer says that a compromised employee account is what enabled hackers to breach its internal corporate IT environment and steal encrypted passwords in an incident attributed to the Russian government. In an update on Sunday ...
5 months ago Therecord.media
JetBrains TeamCity Exploits Continue - This week's news includes open-source software vulnerabilities, endangered data, and continued attacks from state-sponsored Russian threat groups. Type of vulnerability: Cross-site scripting and command injection. The problem: Code analysis software ...
1 year ago Esecurityplanet.com
JetBrains releases security fixes for TeamCity CI/CD system - Two critical security vulnerabilities discovered by Rapid7 could allow an attacker to gain administrative control of TeamCity On-Premises servers. Editor at Large, InfoWorld| Mar 12, 2024 10:25 am PDT. JetBrains has released fixes for two critical ...
9 months ago Infoworld.com
Threat Groups Rush to Exploit JetBrains' TeamCity CI/CD Security Flaws - The cyberthreats to users of JetBrains' TeamCity CI/CD platform continue to mount a week after the company issued two fixes to security vulnerabilities, with one cybersecurity vendor noting a ransomware attack that included exploiting the flaws for ...
9 months ago Securityboulevard.com
TeamViewer Hack Officially Attributed to Russian Cyberspies - TeamViewer has confirmed that a notorious Russian cyberespionage group appears to be behind the recent hacker attack targeting the company's systems. The remote connectivity software provider revealed last week that it had detected an intrusion on ...
5 months ago Securityweek.com
TeamViewer Hack Officially Attributed to Russian Cyberspies - TeamViewer has confirmed that a notorious Russian cyberespionage group appears to be behind the recent hacker attack targeting the company's systems. The remote connectivity software provider revealed last week that it had detected an intrusion on ...
5 months ago Packetstormsecurity.com
Russia-linked group APT29 likely breached TeamViewer - Microsoft fixed two zero-day bugs exploited in malware attacks. HTTP/2 CONTINUATION Flood technique can be exploited in DoS attacks. Finnish police linked APT31 to the 2021 parliament attack. BianLian group exploits JetBrains TeamCity bugs in ...
5 months ago Securityaffairs.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)