Cozy Bear, a threat group linked with the Russian foreign intelligence service (SVR), has been conducting a global hacking campaign targeting servers hosting JetBrains TeamCity software, according to US, UK and Polish government agencies.
In a joint advisory published on December 13, 2023, six security and intelligence agencies in the US, the UK and Poland warned that Cozy Bear has been exploiting an authentication bypass vulnerability in TeamCity (CVE-2023-42793) since at least September 2023.
TeamCity is a popular product from the Czech software provider JetBrains. Companies use it to manage and automate software compilation, building, testing, and releasing.
“If compromised, access to a TeamCity server would provide malicious actors with access to that software developer’s source code, signing certificates, and the ability to subvert software compilation and deployment processes,” reads the advisory.
This access could also be used to conduct software supply chain attacks. The report noted that the the SVR used such access to compromise SolarWinds and its customers in 2020.
However, in this most recent case, the joint advisory said: “The limited number and seemingly opportunistic types of victims currently identified indicate that the SVR has not used the access afforded by the TeamCity CVE in a similar manner.”
“The SVR has, however, been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments,” it added.
Officials said they have notified dozens of companies across the US, Europe, Asia and Australia after discovering hundreds of compromised devices.
Is It the First Time This Vulnerability Is Being Exploited?
JetBrains published a patch for the issue on September 20, 2023.
However, threat intelligence provider PRODRAFT subsequently reported that the release of technical details led to immediate exploitation by a range of ransomware groups.
Microsoft also reported in October that two North Korean groups it tracks as Diamond Sleet and Onyx Sleet were exploiting the same vulnerability.
On December 13, the UK-backed Shadowserver Foundation said it was still detecting 800 unpatched instances of JetBrains TeamCity worldwide.
Who are Behind the Cozy Bear Moniker?
Cozy Bear, also known as the Dukes, Nobelium, Midnight Blizzard and APT 29, is a group of highly skilled hackers with reported ties to the Russian foreign intelligence service (SVR).
The group has been active since at least 2008.
Their activity has previously been attributed to the 2016 info-stealing raid on the Democratic National Committee (DNC), the SolarWinds campaign and separate raids targeting intellectual property related to COVID-19 vaccine development.
CISA’s Recommendations to Mitigate CVE-2023-42793 Exploit
In the joint advisory, CISA provided a technical analysis of the exploitation of CVE-2023-42793 by Cozy Bear, as well as a list of indicators of compromise (IOCs).
They also issued a set of mitigation recommendations.
Some of the mitigations were general security measures, like keeping all operating systems, software, and firmware up to date, applying multifactor authentication (MFA) and using an endpoint detection and response (EDR) solution.
Read more: Is MFA Enough to Protect You Against Cyber-Attacks?
Others were specifically provided to mitigate a potential compromise in JetBrains TeamCity. Those included:
- Apply available patches for CVE-2023-42793 issued by JetBrains TeamCity in mid-September 2023, if not already completed
- Monitor the network for evidence of encoded commands and execution of network scanning tools
- Ensure host-based anti-virus/endpoint monitoring solutions are enabled and set to alert if monitoring or reporting is disabled, or if communication is lost with a host agent for more than a reasonable amount of time
- Require MFA for all services to the extent possible, particularly for email, virtual private networks, and accounts that access critical systems
Credit: Source link
Comments are closed.