Russian SVR-Linked APT29 Targets JetBrains TeamCity Servers in Ongoing Attack

JetBrains TeamCity Servers

Threat actors affiliated with the Russian Foreign Intelligence Service (SVR) have been targeting unpatched JetBrains TeamCity servers in widespread attacks since September 2023.

The movement is tied to a group of nation-states known as APT29, which was also tracked as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes. It is known for the supply chain attack that targeted SolarWinds and its customers in 2020.

“SVR, however, was observed using the initial access gained by exploiting the TeamCity CVE to escalate its privileges, move later, deploy additional backdoors, and take other steps to ensure continuous and long-term access to compromised network environments,” cybersecurity agencies from Poland, the UK, and the US SAYS.

The vulnerability in question is CVE-2023-42793 (CVSS score: 9.8), a critical security flaw that untrusted attackers can weaponize to achieve remote code execution on affected systems. Since then it is under active exploitation of hacking crewsincluding North Korean partners, for the delivery of malware.

UPCOMING WEBINAR

Cook AI-Powered Threats with Zero Trust – Webinar for Security Professionals

Traditional security measures just won’t cut it in today’s world. It’s time for Zero Trust Security. Secure your data like never before.

Join now

“TeamCity exploits typically result in the execution of code with elevated privileges that give SVR a useful foothold in the network environment,” the agencies said. THE audience.

“If compromised, access to a TeamCity server would give malicious actors access to the software developer’s source code, signing certificates, and the ability to subvert the software compilation and deployment processes – access by a malicious actor can still be used to conduct supply chain operations.”

A successful initial access is usually followed by reconnaissance, privilege escalation, lateral movement, and data exfiltration, while simultaneously taking steps to avoid detection with an open -source tool called EDRSandBlast. The ultimate goal of the attacks is to deploy a backdoor codenamed GraphicalProton that acts as a loader to deliver additional payloads.

GraphicalProton, also known as VaporRage, uses OneDrive as a primary command-and-control (C2) communication channel, with Dropbox considered a fallback mechanism. The threat actor is using it as part of an ongoing campaign called the Diplomatic Orbiter that targets diplomatic agencies around the world.

Around 100 devices located across the US, Europe, Asia, and Australia are said to have been compromised as a result of suspected opportunistic attacks.

Campaign targets include an energy trade association; companies that provide software for billing, medical devices, customer care, employee monitoring, financial management, marketing, sales, and video games; as well as hosting companies, device manufacturers, and small and large IT businesses.

The disclosure comes as Microsoft revealed a series of Russian attacks on Ukraine’s agricultural sector between June and September 2023 to penetrate networks, exfiltrate data, and deploy damaging malware such as SharpWipe ( aka WalnutWipe).

The intrusions are tied back to two nation-state groups codenamed Aqua Blizzard (formerly Actinium) and Seashell Blizzard (formerly Iridium), respectively.

Seashell Blizzard was also observed exploiting pirated Microsoft Office software hiding the DarkCrystalRAT (aka DCRat) backdoor to gain initial access, after which it was used to download a second-stage payload named Shadowlink that disguised as Microsoft Defender but, in fact, installs a TOR Service for stealthy remote access.

Cybersecurity

“Midnight Blizzard took a kitchen sink approach, using password spray, credentials obtained from third-parties, credible social engineering campaigns through Teams, and abusing cloud services to infiltrate the cloud environment,” the tech giant. SAYS.

Microsoft even highlighted a Russian-affiliated influence actor it calls Storm-1099 (aka Doppelganger) for carrying out sophisticated pro-Russia influence operations targeting international supporters of Ukraine since in the spring of 2022.

Other influence efforts include spoofing the mainstream media and fraudulently editing celebrity videos shared on Cameos to spread anti-Ukraine video content and discredit President Volodymyr Zelensky via false claim he suffered from substance abuse issues, which fueled ongoing efforts to discredit global perceptions of the war.

“This campaign marks a new approach by pro-Russia actors seeking to maintain a narrative in the online information space,” Microsoft said. “Russian cyber and influence operators have shown adaptability throughout the war in Ukraine.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment