December 14, 2023 at 09:14AM
Summary:
Authorities warn that Russia’s SVR’s cyber unit is exploiting a critical vulnerability in JetBrains TeamCity CI/CD server. The exploit could enable manipulation of source code, and potentially facilitate future attacks. The advisory outlines the SVR’s cyber operations and their long-term objectives in cyberspace. Mitigations and indicators of compromise are provided for potential victims.
Key Takeaways:
– The offensive cyber unit linked to Russia’s Foreign Intelligence Service (SVR) has been exploiting a critical vulnerability (CVE-2023-42793) affecting the JetBrains TeamCity CI/CD server on a large scale since September.
– The exploit allows attackers to manipulate source code, sign certificates, and manipulate software deployment processes.
– Although no evidence suggests immediate attacks similar to the SolarWinds case, the SVR has used the access to plant additional backdoors and establish a foothold in victims’ environments.
– The SVR’s activities include using legitimate services like Dropbox and OneDrive to mask command and control (C2) traffic, with malware-related data obfuscated inside randomly generated BMP files. They have also employed the GraphicalProton backdoor and Mimikatz toolkit, among other techniques.
– Nearly 800 TeamCity instances remain vulnerable to CVE-2023-42793 exploits, despite patches released by JetBrains.
– The SVR’s exploitation of TeamCity aligns with their long-term targeting pattern to collect foreign intelligence, encompassing political, economic, scientific, and technological information from a variety of organizations.
– This exploitation strategy reflects the SVR’s broader objectives in cyberspace, aiming to collect foreign intelligence and conduct cyber operations targeting technology companies to enable future missions.
– The SVR has historically relied on spear phishing methods, but extensive experience in exploiting vulnerabilities and breaking into targets’ systems is also noted. Examples include targeting organizations involved in COVID-19 vaccine development and the sophisticated SolarWinds attack.