Rewterz Threat Alert – Russia-Linked APT29 Threat Group Targeting TeamCity Servers Since September – Active IOCs

Severity

High

Analysis Summary

CISA along with other cybersecurity agencies recently warned that the Russian state-backed threat group APT29 has been launching widespread attacks on unpatched TeamCity servers since at least September 2023.

APT29 is infamous for breaching multiple U.S. federal agencies after the three-year-old SolarWinds supply-chain attack they carried out. They also attacked the Microsoft 365 accounts of various organizations in NATO-aligned countries as part of their phishing campaigns targeting embassies, governments, and high-ranking officials to access foreign policy-related information across Europe.

The TeamCity vulnerability they’re exploiting in the recent attacks is tracked as CVE-2023-42793 with a critical severity score of 9.8 that can be exploited by unauthenticated threat actors in remote code execution (RCE) attacks with low complexity that don’t require user interaction. By choosing to exploit this flaw actively, Russia’s Foreign Intelligence Service (SVR) could leverage the access to victims and allow the attackers to infect the networks of several software developers.

“In this newly attributed operation targeting networks hosting TeamCity servers, the SVR demonstrably continues its practice of targeting technology companies,” the researchers warned.

The SVR has been seen using the initial access gained by the TeamCity CVE exploits to escalate its privileges, deploy additional backdoors, move laterally, and take other steps to remain persistent for long-term access to the compromised networks. The researchers have assessed that the SVR has not yet accessed customer networks from the compromised software developer networks and is most likely still in the preparation phase of its operation. However, having access to these companies’ networks grants many opportunities to the threat actors to set up sophisticated C2 infrastructure that may be difficult to detect.

This allows the threat actors to steal source code and store service secrets as well as private keys. With all this access, the attackers can inject malicious code that can further compromise the integrity of software releases and cause a larger impact on downstream users. There are almost 800 unpatched TeamCity servers that are vulnerable to attacks.

In October, multiple ransomware gangs were actively exploiting the vulnerability to compromise corporate networks with attacks detected from 56 different IP addresses. Microsoft later stated that the North Korean Lazarus and Andariel groups were backdooring targeted networks using the CVE-2023-42793 exploits to later carry out supply chain attacks.

JetBrains claims that more than 98% of all TeamCity servers have been patched now in the newest update released on 18^th September. All customers are urged via public posts or direct contact to update their software immediately. A dedicated patch for organizations using older versions of TeamCity has also been released. Additionally, the company stated that the flaw only affects the instances of TeamCity that are on premise and the cloud version wasn’t impacted.

Impact

• Code Execution
• Privilege Escalation
• Sensitive Information Theft
• Cyber Espionage

Indicators of Compromise

MD5

• 98a082e95628b51307343581cfb7eac7
• 69538d033ae3309f0652ae815506fcec
• 2f383f7785f187c93f62fda035ffe587
• 347b4f985414ca9f78bbbbff002e3ec6
• 46125424b4982c6ae17af821dedb9bfb
• 23448eba3f5f7267b810080bcb04110f
• 484617c0e2a1d6f7e95f121717e11768
• cd6f6b6a05cd94839beaae7f59b4d6dd
• b1cc96c1533d901d248d65289a127ea2
• 5ba4f88f92415a420b61d8fbe5205db2
• 760ada04a2b937dd81684807597b27c0
• df6da9b86835eacbda212e5ab9d77c68
• 88357c8115dcb7e7cfb8fe30c99fe4a2
• 0d1cd6a6b7279c8c30554718858545a4
• 5a782bc5f0d63540b666f6a07e116d81

SHA-256

• 620d2bf14fe345eef618fdd1dac242b3a0bb65ccb75699fe00f7c671f2c1d869
• 773f0102720af2957859d6930cd09693824d87db705b3303cef9ee794375ce13
• 7b666b978dbbe7c032cef19a90993e8e4922b743ee839632bfa6d99314ea6c53
• 8afb71b7ce511b0bce642f46d6fc5dd79fad86a58223061b684313966efef9c7
• cb83e5cb264161c28de76a44d0edb450745e773d24bec5869d85f69633e44dcf
• ebe231c90fad02590fc56d5840acc63b90312b0e2fee7da3c7606027ed92600e
• c7b01242d2e15c3da0f45b8adec4e6913e534849cde16a2a6c480045e03fbee4
• 4bf1915785d7c6e0987eb9c15857f7ac67dc365177a1707b14822131d43a6166
• 18101518eae3eec6ebe453de4c4c380160774d7c3ed5c79e1813013ac1bb0b93
• 219fb90d2e88a2197a9e08b0e7811e2e0bd23d59233287587ccc4642c2cf3d67
• 92c7693e82a90d08249edeafbca6533fed81b62e9e056dec34c24756e0a130a6
• c37c109171f32456bbe57b8676cc533091e387e6ba733fbaa01175c43cfb6ebd
• c832462c15c8041191f190f7a88d25089d57f78e97161c3003d68d0cc2c4baa3
• d724728344fcf3812a0664a80270f7b4980b82342449a8c5a2fa510e10600443
• 4ee70128c70d646c5c2a9a17ad05949cb1fbf1043e9d671998812b2dce75cf0f

SHA-1

• d4411f70e0dcc2f88d74ae7251d51c6676075f6f
• 2df317b8a408d2ad5c94b9de6f20bbef03e46066
• 3a32e516c037c37f7bf83171e167511ba53870a7
• a4b03f1e981ccdd7e08e786c72283d5551671edf
• 18192bb4aaa1b72104be4d26460b55f31ca65baf
• 5ce062f210e1a5026cb53e9949865312ee477e3c
• 2127cb774c3516840db15de1304e1ed498fece36
• 5310270aeeeca3fdb38beee7021f3cda591b70d8
• c4124809fc7f82a5184e4fcd81c95384bbd4e01d
• 7288ff36f61f4643e247427eb6abc42d4b4ceb05
• 66e3f470129dbcf3a7da958405f12abea73b8a69
• e6dbab1eff7245c555dff449081aa07119ca8159
• 23761328b0f584fb872548be90c8ab4f605f2712
• 67c4cb66cae506aecfb7f9fb819305f11d036fa3
• 281bb0dadc789b89f7ae30d5f4bdeae57c66b0e1

URL

• https://matclick.com/wp-query.php

Remediation

• Refer to the JetBrains Website for patch, upgrade, or suggested workaround information.
• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Apply the latest security patches and updates to the email server software and associated components to address any vulnerabilities that may have been exploited by APT29. Also, prioritize patching known exploited vulnerabilities and zero-days.
• Perform comprehensive security audits on the email server infrastructure to identify and address any potential weaknesses. This includes reviewing server configurations, access controls, and encryption protocols to ensure they meet industry best practices.
• Emails from unknown senders should always be treated with caution. Never trust or open links and attachments received from unknown sources/senders.
• Enable 2FA for user accounts on the email server to add an extra layer of security. This prevents unauthorized access even if usernames and passwords are compromised.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Implement network segmentation to isolate critical systems and sensitive data from the rest of the network. This limits the lateral movement of attackers in case of a breach and reduces the impact of potential future attacks.
• Implement a regular backup strategy for email servers and critical data. Ensure that backups are stored securely and regularly tested for data restoration.