October 18, 2023 at 06:34PM
Microsoft reports that the North Korean hacking groups Lazarus and Andariel are exploiting a vulnerability in TeamCity servers, CVE-2023-42793, to deploy backdoor malware. These attacks are likely aimed at conducting software supply chain attacks. Once the server is breached, the hackers use different attack chains to gain persistence on the compromised network and deploy various types of malware. Microsoft warns that these attacks pose a high risk to affected organizations. Lazarus is known for espionage and financial gain attacks, while Andariel focuses on cyber espionage, data theft, destructive attacks, and ransomware attacks.
According to meeting notes, Microsoft has reported that the North Korean hacking groups Lazarus and Andariel are exploiting a vulnerability in TeamCity servers, specifically the CVE-2023-42793 flaw. This flaw allows the hackers to deploy backdoor malware, potentially for conducting software supply chain attacks. TeamCity is a continuous integration and deployment server used in software development infrastructure. Although TeamCity quickly fixed the vulnerability, threat actors such as ransomware groups started exploiting it to breach corporate networks. Microsoft’s Threat intelligence team has observed Lazarus and Andariel using the CVE-2023-42793 vulnerability to breach TeamCity servers. Microsoft suspects that the ultimate goal of these attacks could be software supply chain attacks, as North Korean threat actors have previously carried out such attacks by infiltrating build environments. The hackers utilize different attack chains to deploy backdoors and gain persistence on compromised networks. Lazarus deploys the ForestTiger malware or uses DLL search order hijacking attacks to install a remote access Trojan called FeedLoad. Andariel uses a hands-on approach by creating an admin account on the breached server and deploying the HazyLoad proxy tool. The hackers also dump credentials from LSASS, presumably to spread laterally on the compromised network. Lazarus and Andariel are state-sponsored North Korean hacking groups, with Andariel being a subgroup of Lazarus. Lazarus has been involved in espionage, data theft, financial gain attacks, and targeting security researchers, while Andariel focuses on defense and IT services entities in South Korea, the United States, and India for cyber espionage, data theft, destructive attacks, and ransomware attacks.