Security News > 2023 > December > Russian hackers target unpatched JetBrains TeamCity servers

Russian state-sponsored hackers have been exploiting CVE-2023-42793 to target unpatched, internet-facing JetBrains TeamCity servers since September 2023, US, UK and Polish cybersecurity and law enforcement authorities have warned.

As they noted, this time around, "The victim types do not fit into any sort of pattern or trend, aside from having an unpatched, Internet-reachable JetBrains TeamCity server."

In these latest attacks, APT 29 has exploited CVE-2023-42793, an authentication bypass vulnerability in the TeamCity CI/CD platform that can lead to RCE. Patches for it have been released in mid-September 2023, but there are still nearly 800 JetBrains TeamCity unpatched instances worldwide, according to the Shadowserver Foundation.

After gaining initial access by exploiting the vulnerability, the hackers performed host and network reconnaissance, escalated their privileges, performed lateral moves, deployed backdoors, and took steps to ensure long-term access to the compromised network environments.

"Software developers use TeamCity software to manage and automate software compilation, building, testing, and releasing. If compromised, access to a TeamCity server would provide malicious actors with access to that software developer's source code, signing certificates, and the ability to subvert software compilation and deployment processes-access a malicious actor could further use to conduct supply chain operations," the agencies noted in the security advisory.

Security teams at organizations that have failed to patch their TeamCity servers in time should check for signs of intrusion, both by APT 29 and other attackers.

News URL

https://www.helpnetsecurity.com/2023/12/14/russian-hackers-cve-2023-42793/