Brother
Professional
- Messages
- 2,590
- Reaction score
- 500
- Points
- 83
The preparatory stage will open the way for massive espionage campaigns and data theft.
The CISA agency warns that the APT29 hacker group has been carrying out attacks on uncorrected TeamCity servers since September 2023. The attacks exploit the vulnerability CVE-2023-42793 (CVSS: 9.8) in TeamCity, which allows an unauthorized attacker to achieve Remote Code Execution (RCE) without user interaction.
CISA states that gaining access to TeamCity allows a cybercriminal to increase their privileges, navigate networks, install additional backdoors, and provide long-term access to compromised networks, in particular those of software developers.
It is noted that APT29 has not yet used the possibility of compromising software developers to access customer networks and is probably still in the preparatory stage of its work. Access to company networks enables the group to implement a hard-to-detect command and Control infrastructure (C2).
Swiss information security company Sonar, which discovered and reported this vulnerability, published full technical information about the flaw a week after JetBrains released TeamCity version 2023.05.4 on September 21 , which fixes the problem. According to the Shadowserver Foundation, over 730 TeamCity servers are still vulnerable to attacks.
JetBrains confirmed that the vulnerability affects all versions of TeamCity up to the latest patched release 2023.05.4, but only local servers installed on Windows, Linux and macOS, as well as those running in Docker, are at risk.
A few days after the Sonar report was published, GreyNoise and PRODAFT reported networks. Microsoft also claimed that North Korean groups Lazarus and Andariel exploited CVE-2023-42793 to deploy malware to compromise the software supply chain.
According to JetBrains, their TeamCity software is used in more than 30,000 organizations worldwide. According to the company, more than 98% of all TeamCity servers have already been updated. JetBrains also added that the company has taken additional measures to inform customers about the need for software updates and the application of best security practices.
The CISA agency warns that the APT29 hacker group has been carrying out attacks on uncorrected TeamCity servers since September 2023. The attacks exploit the vulnerability CVE-2023-42793 (CVSS: 9.8) in TeamCity, which allows an unauthorized attacker to achieve Remote Code Execution (RCE) without user interaction.
CISA states that gaining access to TeamCity allows a cybercriminal to increase their privileges, navigate networks, install additional backdoors, and provide long-term access to compromised networks, in particular those of software developers.
It is noted that APT29 has not yet used the possibility of compromising software developers to access customer networks and is probably still in the preparatory stage of its work. Access to company networks enables the group to implement a hard-to-detect command and Control infrastructure (C2).
Swiss information security company Sonar, which discovered and reported this vulnerability, published full technical information about the flaw a week after JetBrains released TeamCity version 2023.05.4 on September 21 , which fixes the problem. According to the Shadowserver Foundation, over 730 TeamCity servers are still vulnerable to attacks.
JetBrains confirmed that the vulnerability affects all versions of TeamCity up to the latest patched release 2023.05.4, but only local servers installed on Windows, Linux and macOS, as well as those running in Docker, are at risk.
A few days after the Sonar report was published, GreyNoise and PRODAFT reported networks. Microsoft also claimed that North Korean groups Lazarus and Andariel exploited CVE-2023-42793 to deploy malware to compromise the software supply chain.
According to JetBrains, their TeamCity software is used in more than 30,000 organizations worldwide. According to the company, more than 98% of all TeamCity servers have already been updated. JetBrains also added that the company has taken additional measures to inform customers about the need for software updates and the application of best security practices.
