October 19, 2023 at 07:06AM
Multiple North Korean threat actors, including Diamond Sleet and Onyx Sleet, have been targeting vulnerable TeamCity servers using the CVE-2023-42793 vulnerability, which allows remote code execution and admin-level access. Microsoft warns that these threat actors have a history of conducting software supply chain attacks and poses a high risk to organizations. The affected organizations are advised to apply patches, investigate for compromise, block suspicious IP addresses, and remediate any malicious activity.
Meeting Takeaways:
– Multiple North Korean threat actors have been exploiting a vulnerability in JetBrains’ TeamCity CI/CD server.
– The vulnerability (CVE-2023-42793) allows unauthenticated attackers to remotely execute code and gain administrator-level permissions.
– JetBrains released patches for the bug on September 21, but exploitation attempts were reported soon after.
– Microsoft reports that at least two North Korean state-sponsored threat actors, Diamond Sleet and Onyx Sleet, have been exploiting the vulnerability.
– These threat actors have been known to conduct software supply chain attacks and pose a high risk to organizations.
– Diamond Sleet, also known as Zinc, is focused on espionage, data theft, destruction, and financial gain. They target defense-related entities, journalists, and IT services organizations.
– Onyx Sleet, also known as Plutonium, Andariel, and DarkSeoul, targets defense and IT services organizations in the US, South Korea, and India.
– Organizations are advised to apply patches, investigate their networks for compromise, block traffic from specified IP addresses, remediate any malicious activity, and investigate potential lateral movement.