Threat actors affiliated with the Russian Foreign Intelligence Service (SVR) have targeted unpatched JetBrains TeamCity servers in widespread attacks since September 2023.
The activity has been tied to a nation-state group known as APT29, which is also tracked as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes. It's notable for the supply chain attack targeting SolarWinds and its customers in 2020.
"The SVR has, however, been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments," cybersecurity agencies from Poland, the U.K., and the U.S. said.
The vulnerability in question is CVE-2023-42793 (CVSS score: 9.8), a critical security flaw that could be weaponized by unauthenticated attackers to achieve remote code execution on affected systems. It has since come under active exploitation by hacking crews, including those associated with North Korea, for malware delivery.
"The TeamCity exploitation usually resulted in code execution with high privileges granting the SVR an advantageous foothold in the network environment," the agencies noted.
"If compromised, access to a TeamCity server would provide malicious actors with access to that software developer's source code, signing certificates, and the ability to subvert software compilation and deployment processes — access a malicious actor could further use to conduct supply chain operations."
A successful initial access is typically followed by reconnaissance, privilege escalation, lateral movement, and data exfiltration, while simultaneously taking steps to evade detection using an open-source tool called EDRSandBlast. The end goal of the attacks is to deploy a backdoor codenamed GraphicalProton that functions as a loader to deliver additional payloads.
GraphicalProton, which is also known as VaporRage, leverages OneDrive as a primary command-and-control (C2) communication channel, with Dropbox treated as a fallback mechanism. It has been put to use by the threat actor as part of an ongoing campaign dubbed Diplomatic Orbiter that singles out diplomatic agencies across the world.
"Post-compromise activity includes credential theft using Mimikatz, Active Directory enumeration using DSinternals, deployment of tunneling tool rsockstun, and turning off antivirus and EDR capabilities," Microsoft said, adding it took steps to disrupt what it described as a "widespread campaign" targeting TeamCity servers by exploiting the flaw.
As many as 100 devices located across the U.S., Europe, Asia, and Australia are said to have been compromised as a result of what's suspected to be opportunistic attacks.
Targets of the campaign include an energy trade association; firms that provide software for billing, medical devices, customer care, employee monitoring, financial management, marketing, sales, and video games; as well as hosting companies, tools manufacturers, and small and large IT enterprises.
The disclosure comes as Microsoft revealed Russia's multi-pronged assault on Ukraine's agriculture sector between June through September 2023 to penetrate networks, exfiltrate data, and deploy destructive malware such as SharpWipe (aka WalnutWipe).
The intrusions have been tied back to two nation-state groups codenamed Aqua Blizzard (formerly Actinium) and Seashell Blizzard (formerly Iridium), respectively.
Seashell Blizzard has also been observed taking advantage of pirated Microsoft Office software harboring the DarkCrystalRAT (aka DCRat) backdoor to gain initial access, subsequently using it to download a second-stage payload named Shadowlink that masquerades as Microsoft Defender but, in reality, installs a TOR service for surreptitious remote access.
"Midnight Blizzard took a kitchen sink approach, using password spray, credentials acquired from third-parties, believable social engineering campaigns via Teams, and abuse of cloud services to infiltrate cloud environments," the tech giant said.
Microsoft further highlighted a Russia-affiliated influence actor it calls Storm-1099 (aka Doppelganger) for carrying out sophisticated pro-Russia influence operations targeting international supporters of Ukraine since the spring of 2022.
Other influence efforts comprise spoofing mainstream media and deceptively editing celebrity videos shared on Cameo to propagate anti-Ukraine video content and malign President Volodymyr Zelensky by falsely claiming he suffered from substance abuse issues, underscoring continued efforts to warp global perceptions of the war.
"This campaign marks a novel approach by pro-Russia actors seeking to further the narrative in the online information space," Microsoft said. "Russian cyber and influence operators have demonstrated adaptability throughout the war on Ukraine."
Update
Following the publication of the story, Yaroslav Russkih, head of security at JetBrains, shared the below statement with The Hacker News -
"We were informed about this vulnerability earlier this year and immediately fixed it in TeamCity 2023.05.4 update, which was released on September 18, 2023. Since then, we have been contacting our customers directly or via public posts motivating them to update their software. We also released a dedicated security patch for organizations using older versions of TeamCity that they couldn't upgrade in time. In addition, we have been sharing the best security practices to help our customers strengthen the security of their build pipelines. As of right now, according to the statistics we have, fewer than 2% of TeamCity instances still operate unpatched software, and we hope their owners patch them immediately. This vulnerability only affects the on-premises instances of TeamCity, while our cloud version was not impacted."
