A known JetBrains TeamCity vulnerability is now being exploited by two nation-state threat groups as some organizations have yet to patch the critical flaw.
CISA issued a joint government advisory Wednesday to warn users that a Russian advanced persistent threat (APT) actor, commonly known as Cozy Bear, is exploiting a TeamCity server bypass authentication vulnerability, tracked as CVE-2023-42793, that was disclosed and patched in September. The widespread exploitation activity started in late September and has compromised "a few dozen" companies in the U.S., Europe, Asia and Australia.
Wednesday's advisory was co-authored by CISA, the FBI, the National Security Agency, the Polish Military Counterintelligence Service, CERT Polska and the U.K.'s National Cyber Security Centre. It marked the second report on TeamCity exploitation by a nation-state group. In October, Microsoft and JetBrains disclosed that North Korean threat actors were exploiting CVE-2023-42793 to gain initial access to vulnerable servers.
After gaining access, both nation-state groups were observed deploying backdoors to maintain persistence on compromised networks. Wednesday's advisory warned that Russian state-sponsored operations "pose a persistent threat to public and private organizations' networks globally."
Cozy Bear, also known as APT29 and Nobelium/Midnight Blizzard, is a hacking group connected to Russia's Foreign Intelligence Service (SVR). The APT group is responsible for several high-profile attacks, including the massive SolarWinds breach, which affected U.S. federal government agencies in 2020.
In addition to confirming that Cozy Bear compromised a few dozen companies since September, the government agencies also said they are aware of more than 100 compromised devices. However, they estimated that the list of affected organizations is likely even higher.
CISA revealed that identified victims included an energy trade association, as well as software providers for billing, medical devices, customer care, employee monitoring, financial management, marketing, sales and video games. Hosting and IT companies were also affected.
Potential supply chain threat
So far, CISA said it has not observed Cozy Bear abusing TeamCity access in the same way threat actors used malicious software updates to gain access to SolarWinds customers. Still, the agency warned that the activity could pose a threat to the supply chain.
"If compromised, access to a TeamCity server would provide malicious actors with access to that software developer's source code, signing certificates, and the ability to subvert software compilation and deployment processes -- access a malicious actor could further use to conduct supply chain operations," the government agencies wrote in the advisory.
Cozy Bear is known to conduct spear phishing attacks and to target organizations across several sectors including education, government and technology for cyberespionage purposes. After exploiting the TeamCity vulnerability to gain initial access and escalate privileges, the threat actor was observed using GraphicalProton, a backdoor that uses Microsoft OneDrive and Dropbox to share data with the SVR operator. To avoid detection, the threat actor used the "bring your own vulnerable driver" technique, a recent but increasingly common tactic also leveraged by ransomware groups.
In response to Cozy Bear abusing OneDrive and Dropbox, Microsoft revealed that it is taking action to disrupt the large-scale campaign. The tech giant outlined other indicators of compromise in a series of posts on X, formerly known as Twitter, on Wednesday.
"Post-compromise activity includes credential theft using Mimikatz, Active Directory enumeration using DSinternals, deployment of tunneling tool rsockstun, and turning off antivirus and EDR [endpoint detection and response] capabilities," Microsoft wrote on X.
While the September patch release helped to limit Cozy Bear exploitation activity against CVE-2023-42793, CISA said the threat group is "likely still in the preparatory phase of its operation."
Recent scans by cybersecurity nonprofit The Shadowserver Foundation showed 800 unpatched TeamCity servers remaining worldwide. Most of those servers are located in the U.S. and Europe.
In a statement to TechTarget Editorial, a JetBrains spokesperson said 2% of TeamCity instances remain unpatched as of now. The spokesperson emphasized that the vulnerability only affects on-premises instances of TeamCity and not the cloud version.
"We were informed about this vulnerability earlier this year and immediately fixed it in the TeamCity 2023.05.4 update, which was released on Sept. 18, 2023. Since then, we have been contacting our customers directly or via public posts motivating them to update their software," the spokesperson said. "We also released a dedicated security patch for organizations using older versions of TeamCity that they couldn't upgrade in time. In addition, we have been sharing best security practices to help our customers strengthen the security of their build pipelines."
In addition to patching, CISA also advised enterprises to implement multifactor authentication, monitor networks, audit log files and validate security controls.
Arielle Waldman is a Boston-based reporter covering enterprise security news.