December 13, 2023 at 11:59AM
Summary:
The FBI, CISA, NSA, SKW, CERT Polska, and NCSC released a report assessing Russian SVR cyber actors exploiting CVE-2023-42793 to target servers hosting JetBrains TeamCity software globally. The report provides IOCs and mitigations to assist organizations in detecting and countering these malicious actions. SVR cyber activity poses a persistent threat, targeting a wide range of public and private organizations globally for foreign intelligence collection, with additional technical details provided.
Based on the meeting notes provided, the key takeaways are:
1. The FBI, CISA, NSA, SKW, CERT Polska, and NCSC have assessed that Russian Foreign Intelligence Service (SVR) cyber actors, known by several aliases, are exploiting CVE-2023-42793 to target servers hosting JetBrains TeamCity software. This exploitation provides them with access to software developers’ source code, signing certificates, and the ability to subvert software compilation and deployment processes, thereby enabling supply chain operations.
2. The SVR has been observed using the access gleaned by exploiting the TeamCity CVE to escalate privileges, move laterally, deploy additional backdoors, and ensure persistent and long-term access to compromised network environments.
3. The authoring agencies are providing information on the SVR’s most recent compromise as a means to bring Russia’s actions to public attention, aid organizations in conducting their own investigations and securing their networks, and empower private sector cybersecurity companies to better detect and counter the SVR’s malicious actions.
4. The authoring agencies recommend all organizations with affected systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat hunting activities using the indicators of compromise (IOCs) provided in their advisory. Additionally, they recommend organizations to apply the incident response recommendations provided in the advisory and report key findings to the FBI and CISA.
5. The SVR cyber actors also employ a variety of techniques, including host reconnaissance, file exfiltration, privilege escalation, persistence, credential access, lateral movement, and command and control tactics, to avoid detection and further their cyber operations.
Based on these takeaways, it is crucial for organizations to be proactive in addressing vulnerabilities and implementing cybersecurity measures to protect their systems and networks. Organizations should promptly apply available patches for CVE-2023-42793, conduct thorough threat hunting activities, and adhere to the incident response recommendations provided by the authoring agencies. Additionally, it is important to evaluate and validate security controls and enhance defenses against the tactics and techniques employed by the SVR cyber actors based on the MITRE ATT&CK framework.