Since late September, Russian threat actors have been exploiting a known vulnerability in TeamCity, a continuous integration and continuous deployment tool from software development company JetBrains, in order to escalate privileges, deploy malware and establish persistent access in compromised environments.
JetBrains released patches to fix the flaw (CVE-2023-42793) on Sept. 18, and said that on-premises instances of the TeamCity CI/CD server are impacted. TeamCity is a tool that helps automate the processes for building, testing and deploying software applications, and because these types of servers have access to source code and the data related to building and deploying this source code, it makes them valuable targets for attackers.
In October, Microsoft researchers warned that two North Korean nation state actors were exploiting the flaw in order to steal browser credentials and data from targeted organizations. Now, Russian state sponsored actors have joined the fray, according to a new alert on Wednesday by several U.S. government agencies (including the FBI, CISA and NSA) along with agencies from Poland and the UK, which specifically attributed the activity to APT29, cyber actors associated with the Russian Foreign Intelligence Service (SVR).
“In this newly attributed operation targeting networks hosting TeamCity servers, the SVR demonstrably continues its practice of targeting technology companies,” according to the cybersecurity advisory on Wednesday. “By choosing to exploit CVE-2023-42793, a software development program, the authoring agencies assess the SVR could benefit from access to victims, particularly by allowing the threat actors to compromise the networks of dozens of software developers.”
In addition to source code, TeamCity servers give attackers the ability to undermine software compilation and deployment processes - an invaluable option that they could use to launch a supply-chain attack. While APT29 has previously launched supply-chain attacks - including the infamous SolarWinds attack - the U.S. government said that it does not appear the group launched this type of attack after exploiting the TeamCity bug, due to the limited number and “seemingly opportunity types” of victims.
“The SVR has, however, been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments,” according to the advisory.
U.S. government agencies warn that threat actors are likely still in the preparatory phase of their attack. APT29’s exploitation of the JetBrains flaw typically resulted in code execution with high privileges, which granted the group a foothold in the network environment. The group also used the age-old post-compromise tactic known as Bring Your Own Vulnerable Driver, where they implant a legitimate signed driver with an exploitable flaw in order to disable security controls.
“In this newly attributed operation targeting networks hosting TeamCity servers, the SVR demonstrably continues its practice of targeting technology companies.”
“This was done using an open source project called ‘EDRSandBlast,’” according to the advisory. “The authoring agencies have observed the SVR using EDRSandBlast to remove protected process light (PPL) protection, which is used for controlling and protecting running processes and protecting them from infection.”
The group also targeted DLL hijacking flaws in the Zabbix and Webroot software and attempted to backdoor an open source application developed by Microsoft, all as ways to hide their backdoor from security teams. APT29 leveraged a number of additional tools (like Mimikatz, WinPEAS and NoLMHash registry key modification) for privilege escalation.
Attackers primarily deployed the GraphicalProton, a backdoor that abuses OneDrive and Dropbox for the command-and-control (notably, Microsoft on Wednesday announced that it has disrupted attackers’ abuse of Microsoft OneDrive). While GraphicalProton is a known and relatively simplistic backdoor, attackers have bolstered the level of obfuscation in recent variants. U.S. government agencies also found a variant of GraphicalProton using HTTPS requests (as opposed to cloud-based services) as a command-and-control channel.
The U.S. government agencies did not specify what types of companies were targeted as part of the attacks. However, researchers with Fortinet’s Fortiguard Labs have also been tracking APT29’s campaign, and said that in mid-October they alerted a U.S.-based organization in the biomedical manufacturing industry that had been compromised due to the flaw.
“Observed exploitation originated from multiple disparate threat actors who employed numerous diverse post-exploitation techniques in an attempt to gain a foothold in the victim network,” said researchers with Fortinet in a Wednesday analysis. “As part of this intrusion, the main threat actor employed the GraphicalProton malware to maintain access. The main threat actor primarily used Scheduled Tasks to execute these GraphicalProton payloads.”
U.S. government agencies recommend that all organizations with affected systems that did not immediately apply available patches or workarounds “to assume compromise and initiate threat hunting activities.”
Yaroslav Russkih, head of Security at JetBrains, said in a statement that JetBrains has been contacting its customers directly or via public posts urging them to update their software.
"We also released a dedicated security patch for organizations using older versions of TeamCity that they couldn’t upgrade in time," said Russkih. "In addition, we have been sharing the best security practices to help our customers strengthen the security of their build pipelines. As of right now, according to the statistics we have, fewer than 2 percent of TeamCity instances still operate unpatched software, and we hope their owners patch them immediately. This vulnerability only affects the on-premises instances of TeamCity, while our cloud version was not impacted."
This story was updated on Dec. 14 with a comment from JetBrains.