Security News > 2023 > December > Russian hackers target unpatched JetBrains TeamCity servers
Russian state-sponsored hackers have been exploiting CVE-2023-42793 to target unpatched, internet-facing JetBrains TeamCity servers since September 2023, US, UK and Polish cybersecurity and law enforcement authorities have warned.
As they noted, this time around, "The victim types do not fit into any sort of pattern or trend, aside from having an unpatched, Internet-reachable JetBrains TeamCity server."
In these latest attacks, APT 29 has exploited CVE-2023-42793, an authentication bypass vulnerability in the TeamCity CI/CD platform that can lead to RCE. Patches for it have been released in mid-September 2023, but there are still nearly 800 JetBrains TeamCity unpatched instances worldwide, according to the Shadowserver Foundation.
After gaining initial access by exploiting the vulnerability, the hackers performed host and network reconnaissance, escalated their privileges, performed lateral moves, deployed backdoors, and took steps to ensure long-term access to the compromised network environments.
"Software developers use TeamCity software to manage and automate software compilation, building, testing, and releasing. If compromised, access to a TeamCity server would provide malicious actors with access to that software developer's source code, signing certificates, and the ability to subvert software compilation and deployment processes-access a malicious actor could further use to conduct supply chain operations," the agencies noted in the security advisory.
Security teams at organizations that have failed to patch their TeamCity servers in time should check for signs of intrusion, both by APT 29 and other attackers.
News URL
https://www.helpnetsecurity.com/2023/12/14/russian-hackers-cve-2023-42793/
Related news
- US, UK warn of Russian APT29 hackers targeting Zimbra, TeamCity servers (source)
- Russian security firm Dr.Web disconnects all servers after breach (source)
- Microsoft and DOJ disrupt Russian FSB hackers' attack infrastructure (source)
- 100+ domains seized to stymie Russian Star Blizzard hackers (source)
- Pro-Ukrainian Hackers Strike Russian State TV on Putin's Birthday (source)
- CISA: Hackers abuse F5 BIG-IP cookies to map internal servers (source)
- Russian hackers deliver malicious RDP configuration files to thousands (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-09-19 | CVE-2023-42793 | Authentication Bypass Using an Alternate Path or Channel vulnerability in Jetbrains Teamcity In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible | 9.8 |