On December 13, 2023, the United States Federal Bureau of Investigation, Cybersecurity & Infrastructure Security Agency, National Security Agency, Polish Military Counterintelligence Service, Community Emergency Response Team Polska, and the United Kingdom’s National Cyber Security Centre released a report that assessed that cyber actors associated with the Russian Foreign Intelligence Service (SVR), also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard, are exploiting CVE-2023-42793 at a large scale, targeting servers hosting JetBrains TeamCity software since September 2023.
Software developers use TeamCity software to manage and automate software compilation, building, testing, and releasing. If compromised, access to a TeamCity server would provide malicious actors with access to that software developer’s source code, signing certificates, and the ability to subvert software compilation and deployment processes; access that a malicious actor could further use to conduct malicious supply chain operations. Although the SVR executed such an operation against SolarWinds and its customers in 2020, the authoring agencies are currently unaware of any attempts by the SVR to use the access afforded by the TeamCity CVE in a similar manner. The SVR has, however, been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments.
Software supply chain compromise is one of the most dangerous and hard to detect and mitigate, threats. Conducting such activity requires significant resources, access, and effort. If successful, it may allow for deploying a malicious update which, in the simplest scenario, could execute adversary tools resulting in enabling access to devices or whole networks. In more complicated scenario, access to the build pipeline could allow for compromising compiled source code and for introduction of almost indetectable modification to software, such as minuscule changes to cryptography protocols that could enable decryption of the protected data. Supply chain compromise can easily have unforeseen consequences, spill-over and result in enormous damage for the economy and specifically retail organizations.
Given the prevalent use of software supply chains in the retail and hospitality industry, members should review the recommendations listed below. To bring the threat actor’s actions to public attention, the authoring agencies are providing this information on the SVR’s most recent compromise to aid organizations in conducting their own investigations and securing their networks, provide compromised entities with actionable indicators of compromise (IOCs), and empower private sector cybersecurity companies to better detect and counter the SVR’s malicious actions. It is recommended to review the IOCs below and ingest and incorporate them into your security environment.
Recommendations and Mitigations:
The Federal Bureau of Investigation, Cybersecurity & Infrastructure Security Agency, National Security Agency, Polish Military Counterintelligence Service, Community Emergency Response Team Polska, and the United Kingdom’s National Cyber Security Centre assess the scope and indiscriminate targeting of this campaign poses a threat to public safety and recommend organizations implement the mitigations below to improve organization’s cybersecurity posture, per their publication:
- Apply available patches for CVE-2023-42793 issued by JetBrains TeamCity in mid-September 2023, if not already completed.
- Monitor the network for evidence of encoded commands and execution of network scanning tools.
- Ensure host-based anti-virus/endpoint monitoring solutions are enabled and set to alert if monitoring or reporting is disabled, or if communication is lost with a host agent for more than a reasonable amount of time.
- Require use of multi-factor authentication [CPG 1.3] for all services to the extent possible, particularly for email, virtual private networks, and accounts that access critical systems.
- Organizations should adopt multi-factor authentication (MFA) as an additional layer of security for all users with access to sensitive data. Enabling MFA significantly reduces the risk of unauthorized access, even if passwords are compromised.
- Keep all operating systems, software, and firmware up to date. Immediately configure newly added systems to the network, including those used for testing or development work, to follow the organization’s security baseline and incorporate into enterprise monitoring tools.
- Audit log files to identify attempts to access privileged certificates and creation of fake identity providers.
- Deploy software to identify suspicious behavior on systems.
- Deploy endpoint protection systems with the ability to monitor for behavioral indicators of compromise.
- Use available public resources to identify credential abuse with cloud environments.
- Configure authentication mechanisms to confirm certain user activities on systems, including registering new devices.
GraphicalProton HTTPS backdoor:
Backdoored Zabbix Installation Archive:
Backdoored Webroot AV Installation Archive:
- 128[.]239.22.138:443 – via legitimate entity
GraphicalProton HTTPS C2 URL: