As part of this analysis, we look at threat actor TTPs employed throughout the intrusion and how they were identified and pieced together by the FortiGuard IR team.
The following section of this report focuses on the activities of one of these threat actors distinct from other threat actor activities.
' A description of the activities conducted by other threat actors exploiting this vulnerability is covered more extensively in the following 'Other Threat Actors Activity' section.
The first activity attributed to the main threat actor was the execution of an echo command like those discussed above, indicating that the main threat actor likely employed Nuclei to identify potential victims.
As part of this exploitation, the main threat actor used the TeamCity exploit to install an SSH certificate, which they then used to maintain access in this second victim's environment.
After successfully downloading this DLL file on the HOST 1 TEAMCITY, the main threat actor again used the TeamCity RCE vulnerability to create a Windows-scheduled task referencing this DLL file.
While this tooling is confidently linked to APT29 or BlueBravo, the victimology and initial access vector employed by the main threat actor throughout earlier stages of this intrusion does not align with currently reported APT29 campaigns.
While the IR team could not attribute this activity to APT29 with high confidence, associated threat intelligence was used to focus our investigation further.
These exceptions removed the constraints around the adversary's ability to fully employ their TeamCity exploitation, allowing the main threat actor to continue their execution unrestricted by FortiEDR. After these exceptions were set, the main threat actor was able to successfully dump the registry of the Windows host HOST 1 TEAMCITY to gain access to local user credentials.
At this stage, the main threat actor continued to employ their TeamCity exploit for execution, trying alternative techniques to establish a more robust foothold on the HOST 1 TEAMCITY. They used their access to create a Windows account, 'oldadministrator', added the newly created account to the local administrators group, and made the account a special account by adding it to the registry path 'NTCurrentVersionWinlogonSpecialAccountsUserlist' with the DWORD value 0.
Removing TeamCity software accounts created by threat actors.
In addition to the main threat actor, there were other threat actors who exploited the TeamCity vulnerability.
One of these threat actors used their RCE access through the exploit to create a new TeamCity user via the TeamCity API. They then added the 'System administrator' role to this newly created user account.
Another threat actor used their TeamCity exploit to download and execute the installer for legitimate remote access software AnyDesk on the HOST 1 TEAMCITY. The AnyDesk software was installed with the '-start-with-win' parameter, making it auto-start on boot.
FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.
The following Threat Hunting query will search for an event where a particular task creation was being verified by the threat actor.
The following Threat Hunting query will search for an event where TeamCity process creates a process of Windows task management utility.
The threat actor(s) performed vulnerability scans using Nuclei to check if the TeamCity server was vulnerable for CVE-2023-42793.
The threat actor(s) exploited the vulnerability CVE-2023-42793 of the public-facing TeamCity software host.
The threat actor(s) used the Windows Management Instrumentation command-line utility from HOST 1 TEAMCITY to connect to multiple other hosts for lateral movement.
This Cyber News was published on feeds.fortinet.com. Publication date: Wed, 13 Dec 2023 17:43:24 +0000