Tuesday, October 15, 2024
Homecyber securityRussian Hackers Exploiting JetBrain Vulnerability to Hack Servers

Russian Hackers Exploiting JetBrain Vulnerability to Hack Servers

Published on

Malware protection

The Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and other co-authoring agencies have issued a warning that Russian Foreign Intelligence Service (SVR) cyber actors are widely exploiting CVE-2023-42793, aiming their attacks at servers that host JetBrains TeamCity software since September 2023.

Cyber actors affiliated with the Foreign Intelligence Service (SVR) are also referred to as Advanced Persistent Threat 29 (APT 29), Dukes, CozyBear, and NOBELIUM/Midnight Blizzard.

According to the reports, the victims include businesses that offer software for marketing, sales, medical devices, billing, employee monitoring, financial management, hosting, tool manufacturers, small and large IT companies, and an energy trade association.

- Advertisement - SIEM as a Service

Cyber Actors Exploiting JetBrains Vulnerability

The SVR continues attacking computer companies with this newly attributed operation that targets networks that host TeamCity servers. 

The authoring agencies determine that by taking advantage of CVE2023-42793, a software development program, the SVR might gain access to victims, especially by giving the threat actors the ability to compromise the networks of several software developers.

The flaw identified as CVE2023-42793 impacts the version before 2023.05.4; it was possible to bypass authentication in JetBrains TeamCity, which might result in RCE on TeamCity Server.

Software developers manage and automate software development, compilation, testing, and release using TeamCity servers, according to the CSA. 

Malicious actors may be able to undertake malicious supply chain operations, get source code, sign certificates, disrupt software deployment and compilation procedures, and much more if they have access to a TeamCity server.

The CSA also stated threat actors carry out malicious operations like moving laterally, backdoor deployment, privilege escalation, and other actions to guarantee long-term, continuous access to the compromised network environments.

In mid-September 2023, JetBrains released a fix for this CVE, which restricted the SVR’s ability to operate to exploit unpatched TeamCity servers accessible over the Internet.

Although the authorizing agencies evaluate that the SVR is still likely in the preparation phase of its operations and has not yet utilized its access to software developers to access customer networks, the SVR’s access to these networks gives it a chance to enable difficult-to-detect command and control (C2) infrastructure.

 “Russian cyber actors continue taking advantage of known vulnerabilities for intelligence collection,” said Rob Joyce, Director of NSA’s Cybersecurity Directorate. 

“It is critical to ensure systems are patched quickly, and to implement the mitigations and use the IOCs listed in this report to hunt for adversary persistent access.”

Recommendation

Based on the malicious actions of the SVR cyber actors, the agencies advise enterprises to enhance their cyber security posture by implementing the mitigations in the alert. The mitigations are as follows:

  • Implementing a patch from JetBrains TeamCity
  • Monitor the network
  • Setting up host-based and endpoint protection solutions
  • Utilizing multi-factor authentication
  • Auditing log files
Kaaviya
Kaaviya
Kaaviya is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.

Latest articles

Splunk Enterprise Vulnerabilities let Attackers Execute Remote Code

Splunk has disclosed multiple vulnerabilities affecting its Enterprise product, which could allow attackers to...

OilRig Hackers Exploiting Microsoft Exchange Server To Steal Login Details

Earth Simnavaz, an Iranian state-sponsored cyber espionage group, has recently intensified its attacks on...

CoreWarrior Malware Attacking Windows Machines From Dozens Of IP Address

Researchers recently analyzed a CoreWarrior malware sample, which spreads aggressively by creating numerous copies...

TrickMo Malware Targets Android Devices to Steal Unlock Patterns and PINs

The recent discovery of the TrickMo Banking Trojan variant by Cleafy has prompted further...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Splunk Enterprise Vulnerabilities let Attackers Execute Remote Code

Splunk has disclosed multiple vulnerabilities affecting its Enterprise product, which could allow attackers to...

OilRig Hackers Exploiting Microsoft Exchange Server To Steal Login Details

Earth Simnavaz, an Iranian state-sponsored cyber espionage group, has recently intensified its attacks on...

CoreWarrior Malware Attacking Windows Machines From Dozens Of IP Address

Researchers recently analyzed a CoreWarrior malware sample, which spreads aggressively by creating numerous copies...