December 14, 2023 at 06:24AM
Russian threat actors linked to APT29 and SVR have been targeting unpatched JetBrains TeamCity servers since September 2023, exploiting CVE-2023-42793. This involves initial access to the compromised network environments and subsequent deployment of backdoors. The attacks aim to compromise source code, signing certificates, and software deployment processes, impacting numerous sectors globally. Microsoft has also disclosed Russia’s multi-pronged assault on Ukrainian sectors and influence operations targeting international supporters of Ukraine.
Key takeaways from the meeting notes are as follows:
1. Threat actors linked to the Russian Foreign Intelligence Service (SVR) have been targeting unpatched JetBrains TeamCity servers in widespread attacks since September 2023.
2. The attacks have been attributed to a nation-state group known as APT29 and are notable for the supply chain attack targeting SolarWinds and its customers in 2020.
3. The vulnerability exploited is CVE-2023-42793, a critical security flaw with a CVSS score of 9.8, allowing attackers to achieve remote code execution on affected systems. It has been actively exploited by various hacking crews, including those associated with North Korea for malware delivery.
4. Successful exploitation of TeamCity servers provides malicious actors with access to source code, signing certificates, and the ability to subvert software compilation and deployment processes, enabling supply chain operations.
5. The end goal of the attacks is to deploy a backdoor codenamed GraphicalProton that functions as a loader to deliver additional payloads. It leverages OneDrive and Dropbox as primary and fallback command-and-control (C2) communication channels.
6. As many as 100 devices located across the U.S., Europe, Asia, and Australia are suspected to have been compromised due to opportunistic attacks targeting various industries and organizations.
7. Microsoft has revealed Russia’s multi-pronged assault on Ukraine’s agriculture sector, involving intrusion, data exfiltration, and deployment of destructive malware, including SharpWipe.
8. Russia-affiliated influence actors have been carrying out sophisticated pro-Russia influence operations targeting international supporters of Ukraine, including content manipulation, spoofing mainstream media, and deceptively editing celebrity videos to further their narrative in the online information space.
These key takeaways provide a comprehensive understanding of the cybersecurity threats and influence operations discussed in the meeting notes.