Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Posts
Filter by Categories







[CVSS 9+] Russian APT29 Exploits TeamCity Vulnerability

Executive Summary

The Russian APT29 group, also known as Cozy Bear, has started exploiting a critical vulnerability in JetBrains TeamCity, a software development lifecycle management tool.

The vulnerability, tracked as CVE-2023-42793, allows unauthenticated remote code execution.

Since the flaw provides a way to alter software compilations and deployment processes, it raises concerns about potential supply chain attacks similar to the infamous SolarWinds nightmare.

Although JetBrains patched the issue in September 2023, APT29 has been actively targeting servers hosting TeamCity software since then. All organisations using TeamCity should update urgently if they haven’t already done so.

About TeamCity

TeamCity is a popular continuous integration (CI) server. It is a tool designed to assist software developers in managing and automating software compilation, testing, and release processes.

Developers can leverage TeamCity’s compatibility with various version control systems, including Git, Mercurial, Subversion, Perforce, CVS, StarTeam, ClearCase, Team Foundation Version Control, and Visual SourceSafe. Additionally, TeamCity integrates with popular IDEs like Eclipse, IntelliJ IDEA, and Visual Studio.

JetBrains takes charge of the development and maintenance of TeamCity, ensuring its continuous improvement and reliability.

About CVE-2023-42793

The vulnerability enables attackers to execute malicious code without authentication, posing a significant risk. Consequently, it has a CVSS score of 9.8.

The flaw can result in the compromise of source code, signing certificates, and software compilation and deployment processes. Accordingly, successful attacks could grant cyber attackers access to valuable data and the capability to manipulate software compilations and deployment processes. This raises concerns about the possibility of a SolarWinds-type attack.

JetBrains has released a patch to address this vulnerability. For detailed information on the vulnerability and the company’s recommendations, please refer to the security advisory.

About the Exploits

APT29, a threat group linked to the Russian Foreign Intelligence Service (SVR), has been actively exploiting this TeamCity flaw since September to escalate privileges, move laterally, and deploy additional backdoors.

While the group has not yet carried out supply chain attacks using this access, their persistent presence and long-term access to compromised network environments raise concerns. It is worth noting that the infamous Russian group APT29 was also responsible for the 2020 SolarWinds hack.

Besides, CISA added the TeamCity vulnerability to its Known Exploited Vulnerabilities Catalog on October 4, 2023. Furthermore, on December 13th, CISA released an advisory about Russian groups exploiting the vulnerability, emphasising the urgent need for organisations to take action.

About the SolarWinds Hack

The SolarWinds hack, which took place in 2020, was a significant cybersecurity breach that impacted numerous organisations.

SolarWinds is a prominent software company that offers system management tools for network and infrastructure monitoring, as well as other technical services to hundreds of thousands of organisations globally.

One of the company’s products is a system called Orion, designed for IT performance monitoring. In September 2019, the hackers gained unauthorized access to SolarWinds’ network and injected malicious code called Sunburst into Orion in February 2020. Starting in March 2020, SolarWinds unknowingly distributed compromised versions of the Orion software as updates.

This supply chain incident affected SolarWinds’ clients, including major firms like Microsoft and top U.S. government agencies, resulting in the exposure of sensitive data. The attack, carried out by APT29, is considered one of the most extensive and sophisticated cybersecurity breaches of the 21st century.

Call for Action

It is crucial for organisations to promptly address this TeamCity vulnerability in order to mitigate the risk of widespread damage and potential supply chain attacks. Furthermore, please study CISA’s comprehensive recommendations in the advisory.

RECENT BLOG POSTS

PODCASTS

Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.