Cozy Bear, a menace group linked with the Russian international intelligence service (SVR), has been conducting a world hacking marketing campaign concentrating on servers internet hosting JetBrains TeamCity software program, in accordance with US, UK and Polish authorities businesses.
In a joint advisory printed on December 13, 2023, six safety and intelligence businesses within the US, the UK and Poland warned that Cozy Bear has been exploiting an authentication bypass vulnerability in TeamCity (CVE-2023-42793) since no less than September 2023.
TeamCity is a well-liked product from the Czech software program supplier JetBrains. Firms use it to handle and automate software program compilation, constructing, testing, and releasing.
“If compromised, entry to a TeamCity server would offer malicious actors with entry to that software program developer’s supply code, signing certificates, and the power to subvert software program compilation and deployment processes,” reads the advisory.
This entry is also used to conduct software program provide chain assaults. The report famous that the the SVR used such entry to compromise SolarWinds and its prospects in 2020.
Nonetheless, on this most up-to-date case, the joint advisory stated: “The restricted quantity and seemingly opportunistic kinds of victims at present recognized point out that the SVR has not used the entry afforded by the TeamCity CVE in an identical method.”
“The SVR has, nevertheless, been noticed utilizing the preliminary entry gleaned by exploiting the TeamCity CVE to escalate its privileges, transfer laterally, deploy extra backdoors, and take different steps to make sure persistent and long-term entry to the compromised community environments,” it added.
Officers stated they’ve notified dozens of firms throughout the US, Europe, Asia and Australia after discovering tons of of compromised gadgets.
Talking to Infosecurity, Yaroslav Russkih, head of safety at JetBrains, stated his firm labored on a patch instantly after being knowledgeable concerning the vulnerability. The patch was made out there was out there in TeamCity 2023.05.4 replace, which was launched on September 18, 2023.
“Since then, we have now been contacting our prospects straight or through public posts motivating them to replace their software program. We additionally launched a devoted safety patch for organizations utilizing older variations of TeamCity that they couldn’t improve in time. As well as, we have now been sharing one of the best safety practices to assist our prospects strengthen the safety of their construct pipelines,” Russkih added.
“As of proper now, in accordance with the statistics we have now, fewer than 2% of TeamCity situations nonetheless function unpatched software program, and we hope their homeowners patch them instantly. This vulnerability solely impacts the on-premises situations of TeamCity, whereas our cloud model was not impacted.”
Is It the First Time This Vulnerability Is Being Exploited?
JetBrains printed a patch for the difficulty on September 20, 2023.
Nonetheless, menace intelligence supplier PRODRAFT subsequently reported that the discharge of technical particulars led to rapid exploitation by a variety of ransomware teams.
Microsoft additionally reported in October that two North Korean teams it tracks as Diamond Sleet and Onyx Sleet have been exploiting the identical vulnerability.
On December 13, the UK-backed Shadowserver Basis stated it was nonetheless detecting 800 unpatched situations of JetBrains TeamCity worldwide.
JetBrains’ Russkih commented: “The estimate from the Shadowserver Basis would not distinguish the situations patched with a devoted safety plugin JetBrains launched for patrons with older variations (since they solely have a look at the model quantity). We now have already reached out to them to debate potential enhancements.”
Who’re Behind the Cozy Bear Moniker?
Cozy Bear, also referred to as the Dukes, Nobelium, Midnight Blizzard and APT 29, is a bunch of extremely expert hackers with reported ties to the Russian international intelligence service (SVR).
The group has been energetic since no less than 2008.
Their exercise has beforehand been attributed to the 2016 info-stealing raid on the Democratic Nationwide Committee (DNC), the SolarWinds marketing campaign and separate raids concentrating on mental property associated to COVID-19 vaccine growth.
CISA’s Suggestions to Mitigate CVE-2023-42793 Exploit
Within the joint advisory, CISA supplied a technical evaluation of the exploitation of CVE-2023-42793 by Cozy Bear, in addition to a listing of indicators of compromise (IOCs).
Additionally they issued a set of mitigation suggestions.
A few of the mitigations have been common safety measures, like maintaining all working techniques, software program, and firmware updated, making use of multifactor authentication (MFA) and utilizing an endpoint detection and response (EDR) resolution.
Learn extra: Is MFA Sufficient to Defend You Towards Cyber-Assaults?
Others have been particularly supplied to mitigate a possible compromise in JetBrains TeamCity. These included:
- Apply out there patches for CVE-2023-42793 issued by JetBrains TeamCity in mid-September 2023, if not already accomplished
- Monitor the community for proof of encoded instructions and execution of community scanning instruments
- Guarantee host-based anti-virus/endpoint monitoring options are enabled and set to alert if monitoring or reporting is disabled, or if communication is misplaced with a number agent for greater than an affordable period of time
- Require MFA for all companies to the extent potential, notably for electronic mail, digital personal networks, and accounts that entry vital techniques