Two North Korean nation-state actors have been spotted exploiting a previously disclosed remote code execution flaw in a continuous integration and continuous deployment tool, TeamCity.
Software development tool company JetBrains released version 2023.05.4 to fix the flaw (CVE-2023-42793) on Sept. 18, and said that on-premises instances of the TeamCity CI/CD server are impacted. On Wednesday, Microsoft’s threat intelligence group said that it has observed two groups targeting the flaw since early October in attacks that deploy backdoors, steal credentials and more.
“Based on the profile of victim organizations affected by these intrusions, Microsoft assesses that the threat actors may be opportunistically compromising vulnerable servers,” according to Microsoft researchers. “However, both actors have deployed malware and tools and utilized techniques that may enable persistent access to victim environments.”
The first group is a North Korean nation-state actor that is known as Lazarus or Zinc, and is known to target media, IT services and defense organizations globally. This threat group has carried out attacks related to espionage, data theft, financial gain and network destruction. In one attack, disclosed last year, the group launched social engineering campaigns that used weaponized legitimate open-source software.
After exploiting the TeamCity flaw in these more recent attacks, the group created a scheduled task (called Windows TeamCity Settings User Interface) for persistence and deployed the ForestTiger backdoor, which it leveraged to dump credentials (through the LSASS memory). In some cases, the group carried out DLL search-order hijacking.
The second group, known as Plutonium or Andariel, is another North Korean nation-state actor that has targeted defense and IT services organizations in the U.S., South Korea and India. This group’s TTPs have included exploiting N-day flaws to gain initial access and using a number of tools for establishing persistent access to victim networks.
After it exploited the flaw, this group went to work creating a new user account (called krtbgt) on compromised systems and adding it to the Local Administrators Group. This method likely helped attackers impersonate the legitimate Kerberos Ticket Granting Ticket (KRBTGT) Windows account name. The threat group also deployed a payload consisting of a proxy tool, called HazyLoad, which established a persistent connection between the compromised host and attacker-owned infrastructure. The group also stopped the TeamCity service as a likely way to prevent access by other threat actors, dumped credentials (via the LSASS memory) and deployed tools aimed at stealing browser credentials and data.
TeamCity is a tool that helps automate the processes for building, testing and deploying software applications. Because these types of servers have access to source code and the data related to building and deploying this source code, they are considered a “high-value target for attackers,” according to researchers with Sonar that discovered the flaw. The flaw could give access to the build process and enable threat actors to inject malicious code, and researchers warned that it could be used as a potential supply-chain attack vector.
At the same time, Microsoft noted that Zinc and other North Korean groups are known for previously launching software supply chain attacks through infiltrating build environments, and warned that these attacks are “particularly high risk” for impacted organizations.
In addition to applying patches, Microsoft researchers recommend that security teams block inbound traffic from certain IPs (which are specified in an IOC chart from Microsoft), address any malicious activity and check for potential evidence of lateral movement.