Russian Foreign Intelligence Service (SVR) Cyber Actors Use JetBrains TeamCity CVE in Global Targeting

Context

On December 13, 2023, the United States Federal Bureau of Investigation, Cybersecurity & Infrastructure Security Agency, National Security Agency, Polish Military Counterintelligence Service, Community Emergency Response Team Polska, and the United Kingdom’s National Cyber Security Centre released a report that assessed that cyber actors associated with the Russian Foreign Intelligence Service (SVR), also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard, are exploiting CVE-2023-42793 at a large scale, targeting servers hosting JetBrains TeamCity software since September 2023.

Technical Details

Software developers use TeamCity software to manage and automate software compilation, building, testing, and releasing. If compromised, access to a TeamCity server would provide malicious actors with access to that software developer’s source code, signing certificates, and the ability to subvert software compilation and deployment processes; access that a malicious actor could further use to conduct malicious supply chain operations. Although the SVR executed such an operation against SolarWinds and its customers in 2020, the authoring agencies are currently unaware of any attempts by the SVR to use the access afforded by the TeamCity CVE in a similar manner. The SVR has, however, been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments.

Community Impact

Software supply chain compromise is one of the most dangerous and hard to detect and mitigate, threats. Conducting such activity requires significant resources, access, and effort. If successful, it may allow for deploying a malicious update which, in the simplest scenario, could execute adversary tools resulting in enabling access to devices or whole networks. In more complicated scenario, access to the build pipeline could allow for compromising compiled source code and for introduction of almost indetectable modification to software, such as minuscule changes to cryptography protocols that could enable decryption of the protected data. Supply chain compromise can easily have unforeseen consequences, spill-over and result in enormous damage for the economy and specifically retail organizations.

Given the prevalent use of software supply chains in the retail and hospitality industry, members should review the recommendations listed below. To bring the threat actor’s actions to public attention, the authoring agencies are providing this information on the SVR’s most recent compromise to aid organizations in conducting their own investigations and securing their networks, provide compromised entities with actionable indicators of compromise (IOCs), and empower private sector cybersecurity companies to better detect and counter the SVR’s malicious actions. It is recommended to review the IOCs below and ingest and incorporate them into your security environment.

Recommendations and Mitigations:

The Federal Bureau of Investigation, Cybersecurity & Infrastructure Security Agency, National Security Agency, Polish Military Counterintelligence Service, Community Emergency Response Team Polska, and the United Kingdom’s National Cyber Security Centre assess the scope and indiscriminate targeting of this campaign poses a threat to public safety and recommend organizations implement the mitigations below to improve organization’s cybersecurity posture, per their publication:

• Apply available patches for CVE-2023-42793 issued by JetBrains TeamCity in mid-September 2023, if not already completed.
• Monitor the network for evidence of encoded commands and execution of network scanning tools.
• Ensure host-based anti-virus/endpoint monitoring solutions are enabled and set to alert if monitoring or reporting is disabled, or if communication is lost with a host agent for more than a reasonable amount of time.
• Require use of multi-factor authentication [CPG 1.3] for all services to the extent possible, particularly for email, virtual private networks, and accounts that access critical systems.
• Organizations should adopt multi-factor authentication (MFA) as an additional layer of security for all users with access to sensitive data. Enabling MFA significantly reduces the risk of unauthorized access, even if passwords are compromised.
• Keep all operating systems, software, and firmware up to date. Immediately configure newly added systems to the network, including those used for testing or development work, to follow the organization’s security baseline and incorporate into enterprise monitoring tools.
• Audit log files to identify attempts to access privileged certificates and creation of fake identity providers.
• Deploy software to identify suspicious behavior on systems.
• Deploy endpoint protection systems with the ability to monitor for behavioral indicators of compromise.
• Use available public resources to identify credential abuse with cloud environments.
• Configure authentication mechanisms to confirm certain user activities on systems, including registering new devices.

IOCs

GraphicalProton Backdoor:

• 01B5F7094DE0B2C6F8E28AA9A2DED678C166D615530E595621E692A9C0240732
• 34C8F155601A3948DDB0D60B582CFE87DE970D443CC0E05DF48B1A1AD2E42B5E
• 620D2BF14FE345EEF618FDD1DAC242B3A0BB65CCB75699FE00F7C671F2C1D869
• 773F0102720AF2957859D6930CD09693824D87DB705B3303CEF9EE794375CE13
• 7B666B978DBBE7C032CEF19A90993E8E4922B743EE839632BFA6D99314EA6C53
• 8AFB71B7CE511B0BCE642F46D6FC5DD79FAD86A58223061B684313966EFEF9C7
• 971F0CED6C42DD2B6E3EA3E6C54D0081CF9B06E79A38C2EDE3A2C5228C27A6DC
• CB83E5CB264161C28DE76A44D0EDB450745E773D24BEC5869D85F69633E44DCF
• CD3584D61C2724F927553770924149BB51811742A461146B15B34A26C92CAD43
• EBE231C90FAD02590FC56D5840ACC63B90312B0E2FEE7DA3C7606027ED92600E
• F1B40E6E5A7CBC22F7A0BD34607B13E7E3493B8AAD7431C47F1366F0256E23EB
• C7B01242D2E15C3DA0F45B8ADEC4E6913E534849CDE16A2A6C480045E03FBEE4
• 4BF1915785D7C6E0987EB9C15857F7AC67DC365177A1707B14822131D43A6166

GraphicalProton HTTPS backdoor:

• 18101518EAE3EEC6EBE453DE4C4C380160774D7C3ED5C79E1813013AC1BB0B93
• 19F1EF66E449CF2A2B0283DBB756850CCA396114286E1485E35E6C672C9C3641
• 1E74CF0223D57FD846E171F4A58790280D4593DF1F23132044076560A5455FF8
• 219FB90D2E88A2197A9E08B0E7811E2E0BD23D59233287587CCC4642C2CF3D67
• 92C7693E82A90D08249EDEAFBCA6533FED81B62E9E056DEC34C24756E0A130A6
• B53E27C79EED8531B1E05827ACE2362603FB9F77F53CEE2E34940D570217CBF7
• C37C109171F32456BBE57B8676CC533091E387E6BA733FBAA01175C43CFB6EBD
• C40A8006A7B1F10B1B42FDD8D6D0F434BE503FB3400FB948AC9AB8DDFA5B78A0
• C832462C15C8041191F190F7A88D25089D57F78E97161C3003D68D0CC2C4BAA3
• F6194121E1540C3553273709127DFA1DAAB96B0ACFAB6E92548BFB4059913C69

Backdoored vcperf:

• D724728344FCF3812A0664A80270F7B4980B82342449A8C5A2FA510E10600443

Backdoored Zabbix Installation Archive:

• 4EE70128C70D646C5C2A9A17AD05949CB1FBF1043E9D671998812B2DCE75CF0F

Backdoored Webroot AV Installation Archive:

• 950ADBAF66AB214DE837E6F1C00921C501746616A882EA8C42F1BAD5F9B6EFF4

Modified rsockstun:

• CB83E5CB264161C28DE76A44D0EDB450745E773D24BEC5869D85F69633E44DCF

Tunnel Endpoints:

• 128[.]239.22.138:443 – via legitimate entity
• 65[.]20.97.203
• 65[.]21.51.58

Exploitation Server:

• 103[.]76.128.34

GraphicalProton HTTPS C2 URL:

• hxxps://matclick[.]com/wp-query[.]php