North Korean threat actors [1] [2] [3] [4] [5] [7], Diamond Sleet and Onyx Sleet [1] [2] [4] [5] [7] [9], have been exploiting a critical vulnerability in JetBrains TeamCity servers since October 2023 [3] [5]. This vulnerability allows unauthenticated attackers to remotely execute code [6] [7] [8], potentially leading to the theft of source code [7], service secrets [7], and private keys [7]. Microsoft’s security team has observed these nation-state actors carrying out remote code execution attacks [4].


The severity rating of the vulnerability is 9.8, and it affects multiple versions of the CI/CD application used in software development [4]. Diamond Sleet compromises TeamCity servers and deploys the ForestTiger implant [1], while Onyx Sleet creates a new user account named krtbgt and deploys a custom proxy tool called HazyLoad [1]. Both threat actors use various tools and techniques [1], including DLL search-order hijacking and system discovery commands [1], to establish persistent connections and prevent access by other threat actors [1].

Microsoft warns that these actors [4], known as Lazarus and Andariel, have previously conducted software supply chain attacks and pose a significantly high risk to affected organizations [4]. JetBrains has released an update to address the vulnerability [5] [9]. The affected server is used by over 30,000 users worldwide [7], including notable organizations like Nike [7], Ferrari [7], Citibank [7], and Ubisoft [7]. Organizations are advised to apply the latest update [4], use antivirus tools [4], analyze Microsoft’s indications of compromise list [4], block inbound traffic from specified IPs [4], isolate compromised systems [4], and investigate for lateral movement activities to mitigate the threat.


It is important to note that both threat actors have been associated with other names such as Labyrinth Chollima and Silent Chollima [2]. Microsoft is concerned about potential software supply chain attacks [3], as North Korean threat actors have successfully conducted such attacks in the past [3]. These attacks involve the deployment of backdoors [3], persistence on compromised networks [3] [6], and exfiltration of credentials [3]. Organizations should take immediate action to protect themselves by implementing the recommended mitigations. The implications of these attacks highlight the ongoing need for robust cybersecurity measures and vigilance in the face of evolving threats.