The Russian military intelligence unit [4], CozyBear [1] [2] [4] [7], also known as the Dukes and APT29 [4], has been actively exploiting a vulnerability in JetBrains TeamCity software [1] [4]. This software is widely used for managing and automating software building [4], testing [4], and releasing [1] [4].
Description
The Cybersecurity and Infrastructure Security Agency (CISA) [4], along with the FBI [4], the National Security Agency (NSA) [4], and international partners [4], have issued a warning about this exploitation [4]. The threat actors have been targeting servers hosting TeamCity software for the past two months [4], with a focus on technology companies [4], foreign governments [4], and academic institutions [4].
The vulnerability being exploited is known as CVE-202342793 [4], and if compromised [4], it could provide malicious actors with access to source code [4], signing certificates [1] [2] [4] [7], and the ability to manipulate software compilation and deployment processes [1] [4]. The advisory also highlights the potential for threat actors to conduct supply chain operations by manipulating the developer’s source code [4].
The Polish Military Counterintelligence Service (SKW) and CERT Polska have worked with intelligence agencies and private entities to disrupt the Russian attempts [7]. Organizations are advised to apply patches and workarounds [7], assume compromise if not done so [7], and conduct threat hunting activities [7]. The joint report by FBI [7], CISA [6] [7], NSA [7], SKW [7], CERT.PL [7], and NCSC provides more information and recommendations for incident response [7].
The FBI [4], along with Polish authorities [5], disrupted a cyber operation conducted by the Russian APT29 group [5], also known as SVR [5]. The operation involved exploiting a vulnerability in JetBrains TeamCity (CVE-202342793) to target various institutions [5]. The attack allowed the hackers to gain access to source code [5], potentially exposing sensitive information and enabling the insertion of backdoors [5].
The joint effort of Polish [5], American [5], British [5], and Microsoft teams successfully detected [5], analyzed [5], and neutralized the Russian operation [5]. Users of JetBrains TeamCity who have not applied the necessary updates are advised to assume they have been compromised and conduct a thorough analysis of their infrastructure [5]. The campaign targeted a wide range of organizations [5], highlighting the importance of implementing security measures [5].
Conclusion
The collaborative actions led to the identification of the campaign [5], its victims [3] [5] [6], and the techniques used by SVR [5], as well as the blocking of their infrastructure and the neutralization of their tools [5]. These actions demonstrate the ongoing efforts of allied agencies to protect national [5], public [1] [5] [6], and private security from Russia’s unreasonable and disproportionate actions [5].
References
[1] https://www.darkreading.com/vulnerabilities-threats/global-teamcity-exploitation-opens-door-to-solarwinds-style-nightmare
[2] https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
[3] https://fr.techtribune.net/d2/tendance-actuelle/des-hackers-russes-ciblent-les-serveurs-de-teamcity-depuis-septembre/818968/
[4] https://www.bankinfosecurity.com/cisa-warns-russian-hackers-targeting-jetbrains-software-a-23866
[5] https://niebezpiecznik.pl/post/fbi-razem-z-polakami-zepsuli-rosjanom-cyberoperacje/
[6] https://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793
[7] https://www.gov.pl/web/baza-wiedzy/russian-intelligence-use-jetbrains-cve-in-global-targeting
