Security News > 2023 > December > Russian hackers target unpatched JetBrains TeamCity servers
Russian state-sponsored hackers have been exploiting CVE-2023-42793 to target unpatched, internet-facing JetBrains TeamCity servers since September 2023, US, UK and Polish cybersecurity and law enforcement authorities have warned.
As they noted, this time around, "The victim types do not fit into any sort of pattern or trend, aside from having an unpatched, Internet-reachable JetBrains TeamCity server."
In these latest attacks, APT 29 has exploited CVE-2023-42793, an authentication bypass vulnerability in the TeamCity CI/CD platform that can lead to RCE. Patches for it have been released in mid-September 2023, but there are still nearly 800 JetBrains TeamCity unpatched instances worldwide, according to the Shadowserver Foundation.
After gaining initial access by exploiting the vulnerability, the hackers performed host and network reconnaissance, escalated their privileges, performed lateral moves, deployed backdoors, and took steps to ensure long-term access to the compromised network environments.
"Software developers use TeamCity software to manage and automate software compilation, building, testing, and releasing. If compromised, access to a TeamCity server would provide malicious actors with access to that software developer's source code, signing certificates, and the ability to subvert software compilation and deployment processes-access a malicious actor could further use to conduct supply chain operations," the agencies noted in the security advisory.
Security teams at organizations that have failed to patch their TeamCity servers in time should check for signs of intrusion, both by APT 29 and other attackers.
News URL
https://www.helpnetsecurity.com/2023/12/14/russian-hackers-cve-2023-42793/
Related news
- Russian Hackers May Have Targeted Ukrainian Telecoms with Upgraded 'AcidPour' Malware (source)
- Russian hackers target German political parties with WineLoader malware (source)
- Russian Hackers Use 'WINELOADER' Malware to Target German Political Parties (source)
- Hackers exploit Ray framework flaw to breach servers, hijack resources (source)
- Targus discloses cyberattack after hackers detected on file servers (source)
- Russian Sandworm hackers pose as hacktivists in water utility breaches (source)
- Russian Sandworm hackers targeted 20 critical orgs in Ukraine (source)
- Russian hackers’ custom tool exploits old Windows Print Spooler flaw (CVE-2022-38028) (source)
- Russian Hacker Dmitry Khoroshev Unmasked as LockBit Ransomware Administrator (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-09-19 | CVE-2023-42793 | Authentication Bypass Using an Alternate Path or Channel vulnerability in Jetbrains Teamcity In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible | 9.8 |