North Korean State Actors Expose Vulnerability in TeamCity Server

North Korean State-Backed Threat Groups Exploit Critical Vulnerability in TeamCity Server

Introduction

In recent news, Microsoft has reported that two North Korean state-backed threat groups, known as Diamond Sleet and Onyx Sleet, are actively exploiting a critical remote code execution (RCE) vulnerability in on-premises versions of JetBrains TeamCity continuous integration and delivery server.

Details of the Exploitation

According to Microsoft’s report, the attackers are using the CVE-2023-42793 vulnerability to drop backdoors and other implants into compromised systems. These malicious activities include cyber espionage, data theft, financially motivated attacks, and network sabotage. JetBrains TeamCity is a widely used platform with approximately 30,000 organizations, including major brands like Citibank, Nike, and Ferrari, relying on it to automate their software build, test, and deployment processes.

Diamond Sleet predominantly targets organizations in IT services, media, and defense-related sectors globally. Onyx Sleet, on the other hand, focuses more narrowly on defense and IT services entities in the US, South Korea, and India. While both threat actors are exploiting the same vulnerability, they utilize unique sets of tools and techniques after successful exploitation.

The Vulnerability and Exploitation Techniques

JetBrains disclosed CVE-2023-42793 on September 30 and assigned it a near-maximum severity score of 9.8 out of 10 on the CVSS scale. The vulnerability allows an unauthenticated attacker to perform a remote code execution attack and gain administrative privileges on an affected TeamCity server exposed to the internet. It affects all on-premises versions of TeamCity.

In Diamond Sleet’s attacks, the threat actors have been using PowerShell to download two malicious payloads. One of these payloads, named ForestTiger, is a backdoor that allows the attacker to run scheduled tasks and dump credentials. The other payload is a configuration file containing information about the malware’s command-and-control infrastructure. Microsoft also observed Diamond Sleet utilizing PowerShell to download a malicious dynamic link library (DLL), a common technique used by threat actors to execute unauthorized code on compromised systems.

Onyx Sleet, on the other hand, creates a new user account on compromised systems designed to impersonate the legitimate Kerberos Ticket Granting Ticket Account. This account is added to the local administrators group and is used to download and decrypt an embedded Portable Executable (PE) resource that is then loaded and launched in memory. This inner payload acts as a proxy tool, establishing a persistent connection between the compromised host and the attacker-controlled infrastructure.

The Ease of Exploitation and Supply Chain Risks

According to Stefan Schiller, a vulnerability researcher at Sonar, the CVE-2023-42793 vulnerability is very easy for threat actors to find and abuse. Identifying a vulnerable instance of TeamCity is as simple as visiting the login page and checking if the specific version is 2023.05.3 or below. Exploiting the vulnerability requires neither authentication nor user interaction, making it highly reliable.

This incident highlights the increasing interest of threat actors in software development pipelines as initial access vectors for stealing source code and secrets. Vulnerabilities like CVE-2023-42793 in a CI/CD platform enable supply chain attacks, posing significant risks to organizations and downstream users who may download and execute software built on compromised systems.

To address these risks, software organizations should establish a traceable and verifiable link between source code and the final build artifact distributed to consumers. This includes capturing information about the source code version, the tools used for compilation, transformation, and their configurations. Resources like the SLSA project and NIST’s Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD Pipeline offer actionable advice for addressing CI/CD security.

Implementing practices such as reproducible builds can also help in post-compromise situations, as they produce bit-identical software artifacts when the same inputs and environment are used. However, reproducibility requires effort and must be implemented before any incidents occur.

Recommendations and Mitigation Measures

JetBrains has released a fixed version of TeamCity (version 2023.05.4) since the vulnerability disclosure. Organizations are strongly urged to upgrade to this version to mitigate exposure to the threat. In addition, JetBrains has provided a security patch that organizations unable to immediately update to the new version can apply to their existing TeamCity instances to address the remote code execution vulnerability.

Conclusion

The exploitation of the critical vulnerability in JetBrains TeamCity by the North Korean state-backed threat groups Diamond Sleet and Onyx Sleet underscores the significance of maintaining robust cybersecurity measures, particularly in software development pipelines. This incident serves as a reminder that vulnerabilities in CI/CD platforms can lead to supply chain attacks with far-reaching consequences for organizations and their downstream users.

Addressing these risks requires a proactive approach that includes establishing traceable links between source code and build artifacts, implementing recommended security practices, and promptly applying security patches and updates. Organizations must remain vigilant in their cybersecurity efforts to prevent and mitigate the impact of such attacks.