APT29 Targets Tech Companies via TeamCity Flaw

In the week prior, the spotlight was on the Russian threat group APT28 for exploiting vulnerabilities in Microsoft Outlook - CVE-2023-23397, and WinRAR - CVE-2023-38831. Now, attention turns to another threat group associated with the Russian Foreign Intelligence Service (SVR), namely APT29 (also known as the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard). A recent advisory from CISA exposes their exploitation of the JetBrains TeamCity vulnerability, CVE-2023-42793 rated a 9.8/10 targeting technology companies since late September 2023. CISA assesses SVR aims to compromise networks of software developers using this vulnerability, potentially gaining access to source code, signing certificates, and the ability to manipulate software deployment processes. Notably, the SVR has been observed using the initial access gained through the TeamCity CVE to escalate privileges, move laterally, deploy additional backdoors, and ensure persistent and long-term access to compromised networks.

The attack involves multiple phases, starting with the exploitation of Internet-connected JetBrains TeamCity servers. SVR engages in host reconnaissance using basic built-in commands and tools like PowerShell to gather information about compromised systems. Additionally, the threat actors exfiltrate files, showing a particular interest in SQL Server and various executable files related to Visual Studio and update management agents. The SVR employs tactics to avoid detection, such as disabling or killing endpoint detection and response (EDR) and antivirus software using the "Bring Your Own Vulnerable Driver" technique.

The SVR utilizes techniques like modifying the NoLMHash registry key, employing Mimikatz, and manipulating scheduled tasks for persistence. The threat actors exfiltrate sensitive data, including Windows Registry hives, and conduct network reconnaissance using a mix of built-in commands and tools like PowerSploit. Tunneling into compromised environments is achieved using the "rr.exe" tool, establishing a connection with specific C2 infrastructure. Lateral movement is facilitated through techniques like WMIC, and SVR employs a diverse toolset, including custom tools like GraphicalProton, which communicates via OneDrive and Dropbox, ensuring covert command and control channels.

According to a dashboard provided by security researchers at Shadowserver Foundation, highlighting nearly 800 susceptible TeamCity servers, organizations are strongly advised to promptly implement available patches or workarounds. These recent reports surrounding Russian APT groups, APT28, and APT29 along with their abuse of vulnerabilities underscore the critical importance of promptly addressing vulnerabilities, particularly when there is evidence of ongoing and active exploitation.