Cybersecurity Alert: North Korean Hackers Exploit TeamCity Vulnerability

Supply Chain Security: North Korean Hackers Exploiting Recent TeamCity Vulnerability

Introduction

In a recent report, Microsoft has warned that multiple North Korean threat actors have been taking advantage of a vulnerability in JetBrains’ TeamCity continuous integration and continuous deployment (CI/CD) server. The vulnerability, tracked as CVE-2023-42793, allows unauthenticated attackers to execute code remotely on vulnerable TeamCity instances and gain administrator-level permissions. This poses a significant risk to organizations, as North Korean hacking groups have been known to conduct software supply chain attacks.

The Exploitation of the TeamCity Vulnerability

According to Microsoft, at least two North Korean state-sponsored threat actors, named Diamond Sleet and Onyx Sleet, have been exploiting the CVE-2023-42793 vulnerability. Diamond Sleet, also known as Zinc and believed to be a sub-group of Lazarus, is focused on espionage, data theft, destruction, and financial gain. This group has been observed compromising TeamCity servers to deploy a persistent backdoor named ForestTiger. On the other hand, Onyx Sleet, also tracked as Plutonium, Andariel, and DarkSeoul, is known for exploiting zero-day vulnerabilities in attacks targeting defense and IT services organizations in the US, South Korea, and India.

Attack Techniques and Potential Impact

The North Korean hacking groups have utilized various techniques to exploit the TeamCity vulnerability. Diamond Sleet has been seen leveraging DLL search-order hijacking and legitimate executables to carry out nefarious activities, such as deploying a remote access trojan (RAT). Onyx Sleet, on the other hand, has been observed creating new accounts on compromised systems to impersonate legitimate Windows accounts, adding them to administrative groups. These attacks allow the threat actors to gain persistent access to victim environments, enabling them to conduct data theft, credential theft, and potential lateral movement within the compromised organizations.

Recommendations for Organizations

To protect against these supply chain attacks, organizations are advised to take the following actions:

1. Apply patches: Organizations using TeamCity should immediately apply the patches released by JetBrains to fix the CVE-2023-42793 vulnerability. Keeping software up to date is crucial in protecting against known vulnerabilities.

2. Network investigation: Organizations should thoroughly investigate their networks for any signs of potential compromise. This include searching for indicators of compromise (IoCs) provided by Microsoft and analyzing network logs for suspicious activity related to TeamCity servers.

3. Block malicious traffic: It is important to block traffic originating from the IP addresses listed in Microsoft’s IoCs. This can help prevent further exploitation and unauthorized access to the network.

4. Remediate identified malicious activity: If any malicious activity is identified, organizations should take immediate action to remediate it. This may involve removing malware, closing unauthorized accounts, and securing compromised systems.

5. Lateral movement detection: Organizations should also focus on detecting and preventing lateral movement within their networks. Network segmentation, access control, and strong authentication mechanisms can help limit the impact of a potential breach.

Conclusion

The exploitation of the TeamCity vulnerability by North Korean hackers highlights the ongoing risk of supply chain attacks. These attacks can have severe consequences, including data theft, credential theft, and potential disruption of critical operations. Organizations must remain vigilant and proactive in their cybersecurity measures, including patch management, network monitoring, and incident response. By taking these steps, organizations can reduce the likelihood of falling victim to supply chain attacks and mitigate the potential impact of a breach.