October 19, 2023 at 04:33PM
North Korean state-backed threat groups, Diamond Sleet and Onyx Sleet, are exploiting a critical vulnerability in JetBrains TeamCity server to carry out cyber espionage, data theft, and other malicious activities. Over 30,000 organizations, including Citibank, Nike, and Ferrari, use TeamCity. The vulnerability allows attackers to gain administrative privileges and execute unauthorized code. It is crucial for organizations to upgrade to the latest version of TeamCity or apply the security patch to mitigate the risk.
Summary:
– Two North Korean state-backed threat groups, Diamond Sleet and Onyx Sleet, are actively exploiting a critical remote code execution (RCE) bug in on-premises versions of JetBrains TeamCity.
– The bug allows the attackers to drop backdoors and other implants for various malicious activities, including cyber espionage, data theft, financially motivated attacks, and network sabotage.
– Diamond Sleet mainly targets organizations in IT services, media, and defense-related sectors globally, while Onyx Sleet focuses on defense and IT services entities in the US, South Korea, and India.
– Microsoft observed that each threat actor group utilizes unique sets of tools and techniques following successful exploitation.
– The vulnerability, assigned a severity score of 9.8 out of 10, enables an unauthenticated attack to perform an RCE attack and gain administrative privileges on an affected TeamCity server.
– Diamond Sleet uses PowerShell to download malicious payloads and a backdoor called ForestTiger, while Onyx Sleet creates a new user account and uses it to download and decrypt an embedded payload.
– The vulnerability is easy to find and exploit, making it likely that all publicly exposed, vulnerable instances are successfully exploited.
– The attacks highlight the growing interest of threat actors in software development pipelines as an initial access vector and for stealing source code and secrets.
– Software organizations should establish traceable and verifiable links between source code and the final build artifact, implement reproducible builds, and follow strategies for supply chain security to address CI/CD security.
– JetBrains released a fixed version of TeamCity and a security patch to address the vulnerability.