Cozy Bear hackers target JetBrains TeamCity servers in global campaign


Cozy Bear, a threat group linked to Russian foreign intelligence services (SVR), carried out a global hacking campaign targeting servers hosting JetBrains TeamCity software, according to US, UK and Polish government agencies.

In a joint advisory published on December 13, 2023, six security and intelligence agencies in the United States, United Kingdom and Poland warned that Cozy Bear exploited an authentication bypass vulnerability in TeamCity (CVE-2023-42793 ) since at least September 2023.

TeamCity is a popular product from Czech software provider JetBrains. Businesses use it to manage and automate the compilation, creation, testing, and release of software.

“If compromised, access to a TeamCity server would provide malicious actors with access to that software developer’s source code, signing of certificates, and the ability to bypass software compilation and deployment processes,” reads -on in the notice.

This access could also be used to carry out attacks against the software supply chain. The report notes that the SVR used this access to compromise SolarWinds and its customers in 2020.

However, in this most recent case, the joint advisory states: “The limited number and seemingly opportunistic types of victims currently identified indicate that SVR did not use the access offered by TeamCity CVE in the same manner. »

“The SVR has, however, been observed using initial access gleaned from exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other measures to ensure persistent, long-term access to environments network compromised.” he added.

Officials said they notified dozens of companies in the United States, Europe, Asia and Australia after discovering hundreds of compromised devices.

Talk to Information security, Yaroslav Russkih, head of security at JetBrains, said his company worked on a patch immediately after learning of the vulnerability. The patch made available was available in TeamCity update 2023.05.4, released on September 18, 2023.

“Since then, we have been contacting our customers directly or via public posts to motivate them to update their software. We also released a dedicated security patch for organizations using older versions of TeamCity that they were unable to upgrade in time. Additionally, we share security best practices to help our customers strengthen the security of their construction pipelines,” added Russkih.

“Currently, according to the statistics we have, less than 2% of TeamCity instances are still using unpatched software, and we hope that their owners will patch them immediately. This vulnerability only affects on-premises instances of TeamCity, while our cloud version was not impacted.

Is this the first time this vulnerability has been exploited?

JetBrains released a fix for this issue on September 20, 2023.

However, threat intelligence provider PRODRAFT subsequently reported that the release of technical details led to immediate exploitation by a series of ransomware groups.

Microsoft too reported in October, two North Korean groups he follows, Diamond Sleet and Onyx Sleet, exploited the same vulnerability.

On December 13, the UK-backed Shadowserver Foundation said it was still detecting 800 unpatched instances of JetBrains TeamCity worldwide.

Russkih of JetBrains commented: “The Shadowserver Foundation estimate does not distinguish between instances patched with a dedicated JetBrains security plugin. released for customers with older versions (since they only look at the version number). We have already contacted them to discuss possible improvements.”

Who is behind the nickname Cozy Bear?

Cozy Bear, also known as Dukes, Nobelium, Midnight Blizzard and APT 29, is a group of highly skilled hackers with ties to Russian foreign intelligence services (SVR).

The group has been active since at least 2008.

Their activity has previously been attributed to the 2016 information-stealing raid on the Democratic National Committee (DNC), the SolarWinds campaign, and separate raids targeting intellectual property related to COVID-19 vaccine development.

CISA Recommendations to Mitigate CVE-2023-42793 Exploit

In the joint councilCISA provided a technical analysis of Cozy Bear’s exploitation of CVE-2023-42793, as well as a list of Indicators of Compromise (IOC).

They also issued a series of mitigation recommendations.

Some of the mitigations were general security measures, such as updating all operating systems, software and firmware, applying multi-factor authentication (MFA), and using a detection and detection solution. endpoint response (EDR).

Read more: Is MFA enough to protect you against cyberattacks?

Others were specifically provided to mitigate a potential compromise in JetBrains TeamCity. These included:

  • Apply available fixes for CVE-2023-42793 released by JetBrains TeamCity as of mid-September 2023, if not already completed
  • Monitor the network for evidence of coded commands and execution of network analysis tools
  • Ensure that host-based antivirus/endpoint monitoring solutions are enabled and configured to alert if monitoring or reporting is disabled, or if communication is lost with a host agent for more than a reasonable duration.
  • Require multi-factor authentication for all services wherever possible, especially for email, virtual private networks, and accounts that access critical systems.

Leave a comment