North Korean State Actors Exploit Critical TeamCity Server Bug: North Korean state-backed threat groups have targeted a vital vulnerability in JetBrains TeamCity, exploiting it for malicious purposes.
This news item sheds light on this cybersecurity threat.
Key Takeaways on North Korean State Actors Exploit Critical TeamCity Server Bug:
- CVE-2023-42793 Exploitation: North Korean actors exploit CVE-2023-42793, a critical bug in on-premises JetBrains TeamCity.
- Wide Range of Malicious Activities: The attackers employ this vulnerability for cyber espionage, data theft, financially motivated attacks, and network disruption.
- Significant Industry Interest: The attacks underscore the increasing threat actor focus on software development pipelines and supply chain vulnerabilities.
Exploiting CVE-2023-42793
North Korean state-backed groups, Diamond Sleet and Onyx Sleet, have been actively exploiting CVE-2023-42793.
This security flaw enables remote code execution on JetBrains TeamCity servers, which are widely adopted by over 30,000 organizations, including prominent brands like Citibank, Nike, and Ferrari.
Distinct Threat Approaches
Diamond Sleet primarily targets IT services, media, and defense sectors on a global scale.
Onyx Sleet focuses on defense and IT services entities, with a specific interest in the US, South Korea, and India.
Although both groups exploit the same vulnerability, they employ unique tools and techniques.
Understanding the Vulnerability
JetBrains officially disclosed CVE-2023-42793, assigning it an exceptionally high severity score of 9.8 according to the CVSS scale.
This security flaw allows unauthenticated attackers to carry out remote code execution, thereby gaining administrative privileges on TeamCity servers exposed to the internet.
Malicious Payloads and Backdoors
Diamond Sleet employs PowerShell to download malicious payloads, including a backdoor known as ForestTiger. This backdoor facilitates running scheduled tasks on compromised systems and credential extraction.
Another malicious payload is a configuration file for the malware, containing information about its command-and-control infrastructure and other parameters.
The attackers also utilize PowerShell to download a malicious dynamic link library (DLL), a common technique for unauthorized code execution.
Onyx Sleet’s Tactics
Onyx Sleet’s approach to CVE-2023-42793 involves creating a new user account on compromised systems, cleverly mimicking the legitimate Kerberos Ticket Granting Ticket Account.
This unauthorized account is added to the Local Administrators Group and is used to download and decrypt an embedded Portable Executable (PE) resource.
This resource is then loaded and executed in memory and serves as a proxy tool to establish a persistent connection with the attacker-controlled infrastructure.
Ease of Exploitation
The vulnerability expert, Stefan Schiller from Sonar, emphasizes that CVE-2023-42793 is easily discoverable and exploitable.
Identifying a vulnerable TeamCity instance is as simple as checking the version on the login page.
Exploiting the vulnerability does not require authentication or any user interaction.
Implications for Supply Chain Security
Vulnerabilities like CVE-2023-42793 in CI/CD platforms draw attention to supply chain vulnerabilities that can have extensive consequences.
These not only affect the organization using the compromised software but also any downstream users who download and run software built on the compromised system.
Addressing Supply Chain Risks
Software organizations are advised to establish traceable and verifiable links between source code and the final build artifact for distribution. This entails understanding source code versions, tools used, and configurations.
Initiatives like the SLSA project and NIST’s Strategies for the Integration of Software Supply Chain Security provide actionable guidance for enhancing CI/CD security.
Practices like Reproducible builds can be beneficial in ensuring software integrity in post-compromise scenarios.
Mitigation and Response
JetBrains has released TeamCity version 2023.05.4 as a solution for CVE-2023-42793. Organizations are strongly recommended to upgrade to this version to mitigate the threat.
For organizations unable to update immediately, a security patch is available to address the remote code execution vulnerability.
Conclusion
The exploitation of CVE-2023-42793 and the focus on software development pipelines underscore the importance of robust supply chain security. Organizations should remain vigilant and adopt best practices to defend against these emerging threats.
About JetBrains: JetBrains is the developer of TeamCity, the continuous integration and delivery server targeted by the attackers. The company plays a vital role in software development and security.
