Two North Korean nation-state actors, identified as Diamond Sleet and Onyx Sleet, have been exploiting a critical vulnerability in JetBrains TeamCity, a popular continuous integration/continuous deployment (CI/CD) platform, according to research conducted by Microsoft. The vulnerability, known as CVE-2023-42793, is a remote code execution flaw that enables attackers to bypass authentication and gain unauthorized access to the software.
Microsoft disclosed in a blog post on Wednesday that the North Korean threat actors have been exploiting the vulnerability since early October. The severity of the vulnerability is evidenced by its high CVSS score of 9.8. Once the actors successfully exploit the vulnerability, they employ unique tools and techniques to create backdoors in order to maintain persistent access to the compromised environments.
Microsoft has directly notified any targeted or compromised customers, although the full scope of the exploitation remains unknown. However, based on the previous activities of Diamond Sleet, there is concern that these threat actors could pose a significant risk to the software supply chain. The August supply chain compromise of a German software provider by Diamond Sleet further highlights the potential widespread threat they pose.
In its official blog post, Microsoft stated, “Given this, Microsoft assesses that this activity poses a particularly high risk to organizations who are affected.” This assessment is based on previous supply chain attacks by North Korean threat actors, who have previously infiltrated build environments to carry out their operations successfully. Notably, organizations affected by these attacks include media, IT services, and defense-related entities worldwide.
Onyx Sleet, the other North Korean threat actor involved, is known for exploiting N-day vulnerabilities as an initial attack vector, strengthening concerns regarding their capabilities and the potential impact of their operations.
The vulnerability disclosure timeline sheds light on the actions taken by JetBrains to address the issue. Olga Bedrina, TeamCity technical marketing writer, initially disclosed the vulnerability in a blog post last month. The critical vulnerability was reported to JetBrains by software development platform Sonar on September 6. JetBrains released a plugin as a temporary fix on September 18, with a patch becoming available on September 21 in version 2023.05.4.
Throughout the process, JetBrains has kept its customers informed about the vulnerability and its potential consequences. In response to Microsoft’s warnings about the ongoing exploitation activity by North Korean threat actors, Daniel Gallo, TeamCity solutions engineer, provided an update addressing the situation. While JetBrains was aware of some customers expressing concerns about potential compromises due to the vulnerability, it is unclear if these concerns align with the specific exploitation described by Microsoft.
Gallo emphasized that TeamCity On-Premises customers are responsible for the configuration and maintenance of their environments, and JetBrains does not have visibility into their setups. It is worth noting that the SaaS offering, TeamCity Cloud, was not susceptible to the vulnerability and remains unaffected.
Both Gallo and Microsoft urged TeamCity users to update to the fixed version of the software and review Microsoft’s indicators of compromise (IOCs) to identify potential malicious activities. Microsoft also highlighted the use of suspicious PowerShell downloads by Diamond Sleet following the successful compromise of TeamCity servers.
Furthermore, Microsoft stressed the importance of taking immediate action to address any malicious activity on affected devices. Due to the possibility of complete control by the attackers, isolating the system and resetting credentials are critical actions to prevent further harm.
To mitigate the risk of potential attacks, Gallo advised users to ensure that they had applied the security patch plugin or upgraded to version 2023.05.4 of TeamCity before early October 2023. Users who upgraded their software after this period may be at a higher risk of being targeted by the North Korean threat actors.
In conclusion, the exploitation of the critical JetBrains TeamCity vulnerability by North Korean threat actors raises concerns about the potential impact on the software supply chain. With previous successful attacks and ongoing exploitation, organizations using TeamCity should take immediate action to mitigate any potential risks and vulnerabilities. Regularly applying software updates and staying updated on indicators of compromise are crucial to ensuring the security and integrity of their systems.