The SolarWinds hackers are infiltrating JetBrains TeamCity servers via a critical vulnerability enabling authorization bypass and arbitrary code execution, government officials warn.
Russian Foreign Intelligence Service (SVR)-backed threat actor CozyBear has been exploiting the bug tracked as CVE-2023-42793 since September, according to a joint advisory from CISA, the FBI, the NSA and international partners. A patch was made available on Sept. 18 in TeamCity version 2023.05.4.
The critical vulnerability enables unauthenticated attackers to gain administrator access to TeamCity servers and achieve remote code execution without the need for user interaction, according to SonarSource. SonarSource first discovered the flaw in on-premises TeamCity servers and disclosed the details publicly on Sept. 26. Cloud implementations of TeamCity are not affected.
TeamCity servers are Continuous Integration and Continuous Deployment (CI/CD) servers many software companies use to manage and automate software development processes like building, testing and releasing.
More than 30,000 JetBrains customers use TeamCity servers, and more than 3,000 on-premises servers were directly exposed to the internet when the bug was discovered, SonarSource said.
“If compromised, access to a TeamCity server would provide malicious actors with access to that software developer’s source code, signing certificates, and the ability to subvert software compilation and deployment processes — access a malicious actor could further use to conduct supply chain operations,” according to the government advisory.
CozyBear hackers use JetBrains security flaw to compromise dozens of companies
The Russia-backed cybergang CozyBear, which conducted the massive SolarWinds supply chain attack in 2020, has compromised dozens of companies and more than a hundred devices by exploiting the JetBrains TeamCity flaw, officials said. Companies in the United States, Europe, Asia and Australia have been affected.
The joint government advisory states identified victims include companies that provide software for billing, financial management, sales, marketing, customer care, employee monitoring, medical devices and video games. The attackers also compromised small and large IT companies and an energy trade association, according to the advisory.
CozyBear was seen using the Mimikatz tool to steal credentials from the Windows Registry and escalate privileges on compromised systems. They also used the GraphicalProton backdoor to exfiltrate sensitive information; this backdoor uses OneDrive and Dropbox as command-and-control (C2) channels to communicate with compromised devices and exchanges information by storing them in randomly generated BMP files to avoid detection.
JetBrains updated its blog on Thursday notifying customers about the exploitation and reiterating recommendations to update on-premises TeamCity servers to version 2023.05.4 or later.
“As of right now, according to the statistics we have, fewer than 2% of TeamCity instances still operate unpatched software, and we hope their owners patch them immediately,” a JetBrains Head of Security Yaroslav Russkih said in a statement to SC Media Thursday.
SC Media also reached out to CISA, which declined to comment on how the CozyBear exploitation was discovered.
Shadowserver, a nonprofit organization that tracks and analyzes malicious web activity, said on Wednesday it detected 800 unpatched instances of JetBrains TeamCity across the globe. More than 230 vulnerable instances were found in the United States alone, the group said in a subsequent X post.
SolarWinds hack heightens supply chain attack worries
SVR and CozyBear pulled off the notorious SolarWinds attack by leveraging access to the source code and trusted certificates of SolarWinds’ Orion software. The hackers injected its SUNBURST/Solorigate malware in Orion software updates to stealthily spread the malware backdoor to SolarWind’s enterprise customers.
The advisory by CISA and partners notes that SolarWinds-like access to source code and certificates can be achieved by exploiting the JetBrains TeamCity vulnerability. However, the document noted that SVR’s ongoing exploitation of CVE-2023-42793 has affected a “limited number and seemingly opportunistic types of victims,” which indicates that SVR is not using the exploit in a similar manner to its SolarWinds campaign.
Speculation that TeamCity software used by SolarWinds was compromised in prelude to the 2020 attacks was refuted by JetBrains, which said in 2021, “we have not played any role in this breach, nor are we aware of any vulnerabilities in TeamCity that may have led to this breach.”
In response to a 2021 New York Times article suggesting JetBrains was under investigation, the company said they were not aware of any investigation and noted that SolarWinds itself stated it “hasn’t seen any evidence linking the security incident to a compromise of the TeamCity product.”
Services like TeamCity remain a prime target for threat actors working for foreign intelligence agencies. CVE-2023-42793 was also exploited by the North Korean nation-state threat actors Diamond Sleet and Onyx Sleet in October, in campaigns discovered by Microsoft.
SonarSource also noted the status of CI/CD servers as “a high-value target for attackers” when it disclosed the vulnerability.
However, as the first exploitation activity was detected just around the same time that the patch was released, JetBrains says “there is little probability of your instance having been exploited if you immediately upgraded or applied the patch when it was made available.”
