Russian SVR-linked APT29 targets JetBrains TeamCity servers in ongoing attacks

JetBrains TeamCity Servers


Threat actors affiliated with Russia’s Foreign Intelligence Service (SVR) have targeted unpatched JetBrains TeamCity servers in widespread attacks since September 2023.

The activity is linked to a nation-state group known as APT29, which is also followed by BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium) and The Dukes. It is notable for the supply chain attack targeting SolarWinds and its customers in 2020.

“However, the SVR has been observed using the initial access gained by abusing the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to gain persistent and long-term access to the compromised network environments,” cybersecurity agencies from Poland, the UK and the US said.

The vulnerability in question is CVE-2023-42793 (CVSS score: 9.8), a critical security flaw that can be leveraged by unauthenticated attackers to achieve remote code execution on affected systems. Since then it has been actively operated by hacking crewsincluding those associated with North Korea, for delivering malware.

“Exploiting TeamCity typically resulted in code execution with high privileges, giving the SVR an advantageous foothold in the network environment,” the agencies said. noted.

“If access to a TeamCity server is compromised, malicious actors could gain access to the software developer’s source code, sign certificates, and have the ability to subvert software compilation and deployment processes – access that a malicious actor could further use to compromise supply chain operations.”

Successful initial access is typically followed by reconnaissance, privilege escalation, lateral movement, and data exfiltration, while simultaneously taking steps to evade detection using an open-source tool called EDRSandBlast. The ultimate goal of the attacks is to deploy a backdoor codenamed GraphicalProton that functions as a loader to deliver additional payloads.

GraphicalProton, also known as VaporRage, uses OneDrive as its primary command-and-control (C2) communication channel, treating Dropbox as a fallback mechanism. It has been used by the threat actor as part of an ongoing campaign called Diplomatic Orbiter, which targets diplomatic agencies around the world.

“Post-compromise activities include credential theft using Mimikatz, Active Directory enumeration using DSinternals, deployment of tunneling tool rsockstun, and disabling antivirus and EDR capabilities,” Microsoft says. saidadding that it has taken steps to disrupt what it described as a “widespread campaign” targeting TeamCity servers by exploiting the flaw.

As many as 100 devices in the US, Europe, Asia and Australia are said to have been compromised due to suspected opportunistic attacks.

Objectives of the campaign include an energy trading organization; companies that provide software for billing, medical devices, customer service, employee monitoring, financial management, marketing, sales and video games; as well as hosting companies, tool manufacturers and small and large IT companies.

TeamCity servers

The revelation comes as Microsoft revealed Russia’s multi-pronged attack on Ukraine’s agricultural sector between June and September 2023 to penetrate networks, exfiltrate data and deploy destructive malware such as SharpWipe (also known as WalnutWipe).

The intrusions have been traced back to two nation-state groups codenamed Aqua Blizzard (formerly Actinium) and Seashell Blizzard (formerly Iridium), respectively.

Seashell Blizzard has also been observed exploiting pirated Microsoft Office software that harbors the DarkCrystalRAT (aka DCRat) backdoor to gain initial access, and then uses it to download a second-stage payload called Shadowlink that pretends to be Microsoft Defender, but is actually a TOR service for stealthy remote access.

“Midnight Blizzard took a kitchen approach, using password spray, credentials obtained from third parties, credible social engineering campaigns through Teams and misuse of cloud services to infiltrate cloud environments,” the tech giant said. said.

Microsoft further highlighted a Russia-linked influence actor it calls Storm-1099 (also known as Doppelganger) for conducting sophisticated pro-Russian influence operations targeting international supporters of Ukraine since spring 2022.

Other influence efforts include spoofing mainstream media and deceptively editing videos of celebrities being shared Cameo to promote anti-Ukrainian video content and defame President Volodymyr Zelensky falsely claim he suffered from substance abuse problems, underscoring ongoing efforts to distort global perceptions of the war.

“This campaign marks a new approach by pro-Russian actors seeking to advance the narrative in the online information space,” Microsoft said. “Russian cyber and influence operators have demonstrated adaptability throughout the war against Ukraine.”


Following the story’s publication, Yaroslav Russkih, head of security at JetBrains, shared the statement below with The Hacker News:

“We were informed of this vulnerability earlier this year and immediately fixed it in the TeamCity 2023.05.4 update, which was released on September 18, 2023. Since then, we have reached out to our customers directly or via public messages to encourage them to We also released a special security patch for organizations using older versions of TeamCity that they were unable to upgrade in time, and shared security best practices to help our customers strengthen the security of their build pipelines. According to the statistics we have, less than 2% of TeamCity instances are still running unpatched software, and we hope their owners patch it immediately. This vulnerability only affects the on-premises instances of TeamCity, while our cloud version was not affected. “


#Russian #SVRlinked #APT29 #targets #JetBrains #TeamCity #servers #ongoing #attacks

Notify of
Inline Feedbacks
View all comments
Previous Post
Pentesting With Automation

A new look at network penetration testing with automation

Next Post
SQL Injection Attacks

New hacker group ‘GambleForce’ targets APAC companies using SQL injection attacks

Related Posts