October 19, 2023 at 03:21AM
North Korean threat actors are exploiting a security flaw in JetBrains TeamCity to breach vulnerable servers. The attacks are attributed to Diamond Sleet and Onyx Sleet, both part of the Lazarus Group. The attacks involve compromising TeamCity servers and deploying known implants or malicious DLLs. Microsoft observed the use of various tools and techniques in the attacks. The Lazarus Group is involved in financial crime and espionage, with cryptocurrency heists being a major source of revenue to fund missile programs. Another North Korean threat actor, Kimsuky, is conducting spear-phishing attacks using BabyShark malware.
Key Takeaways from the Meeting Notes:
1. North Korean threat actors are actively exploiting a critical security flaw in JetBrains TeamCity to breach vulnerable servers.
2. The attacks are attributed to Diamond Sleet and Onyx Sleet, who are part of the Lazarus Group.
3. Diamond Sleet deploys the ForestTiger implant after compromising TeamCity servers, while the second variant uses DLL search-order hijacking to execute a next-stage payload or remote access trojan.
4. Onyx Sleet creates a new user account named krtbgt to impersonate the Kerberos Ticket Granting Ticket and deploys a custom proxy tool called HazyLoad.
5. Lazarus Group engages in financial crime and espionage attacks, with cryptocurrency theft being a major revenue source.
6. Lazarus Group also utilizes malware families like Volgmer and Scout to control infected systems and has been implicated in a campaign called Operation Dream Magic involving watering hole attacks.
7. Another North Korean threat actor known as Kimsuky (aka APT43) is conducting spear-phishing attacks using the BabyShark malware and remote desktop tools like TightVNC and TinyNuke to exfiltrate information.