The Blue Report 2024
Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.
On December 13, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on the Russian nation-state advanced persistent threat, CozyBear [1]. CozyBear is observed to exploit an unauthenticated remote code execution vulnerability found in JetBrains TeamCity software for data exfiltration and possibly supply chain attacks. JetBrains TeamCity CVE-2023-42793 has a CVSS score of 9.8 (Critical).
In this blog, we explained how CozyBear and other APT groups exploit the JetBrains TeamCity CVE-2023-42793 and how organizations can defend against CVE-2023-42793 attacks.
Simulate Vulnerability Exploitation Threats with 14-Day Free Trial of Picus Platform
JetBrains TeamCity CVE-2023-42793 Vulnerability Explained
JetBrains TeamCity is a continuous integration and continuous delivery (CI/CD) server, and it is widely adopted across a range of industries, from startups to large enterprises. On September 6, 2023, JetBrains disclosed an authentication bypass vulnerability found in TeamCity On-Premises, which can lead to unauthenticated remote code execution. CVE-2023-42793 vulnerability has a CVSS score of 9.8 (Critical). The vulnerability affects TeamCity server versions prior to 2023.05.4.
Since CI/CD solutions are crucial in modern software development, high-impact vulnerabilities may have far-reaching implications, including intellectual property theft, compromise of code signing certificates, and distribution of compromised software to end-users. Such vulnerabilities are also potential supply chain attack vectors. In their advisory, CISA disclosed that the Russian APT group CozyBear used TeamCity CVE-2023-42793 vulnerability to gain initial access, escalate privileges, move laterally, and establish persistence in technology companies at large scale. In another advisory, Microsoft Threat Intelligence Center (MSTIC) published that two North Korean nation-state actors, Hidden Cobra and Andariel, are also exploiting CVE-2023-42793 vulnerability to gain initial access, deploy backdoors, and exfiltrate sensitive data [2]. Organizations are advised to patch their vulnerable JetBrains TeamCity servers as soon as possible.
How JetBrains TeamCity CVE-2023-42793 Exploit Works?
JetBrains TeamCity CVE-2023-42793 vulnerability is an authentication bypass vulnerability. The vulnerability is found in the "RequestInterceptiors.java" file, and it is caused by the wildcard path "/**/RPC2" in the "myPreHandlingDisabled" PathSet [3]. If any incoming HTTP request matches the wildcard path "/**/RPC2", the TeamCity server does not perform authentication checks.
Adversaries abuse this vulnerability to obtain an access token by sending an HTTP POST request to "/app/rest/users/id:1/tokens/RPC2" endpoint. In this example, RPC2 is the adversary-given name for the requested token, and it allows adversaries to gain access to an authentication token with the privileges of the user with the ID of 1, which is always the administrator created during system installation.
After gaining administrative access to the vulnerable TeamCity server, adversaries can execute arbitrary commands, move laterally in the victim's network, and deploy a backdoor for persistent connection.
//Attacker-crafted POST request curl -X POST http://<TeamCity_Server_IP>:8111/app/rest/users/id:1/tokens/RPC2 //TeamCity Server's response with Administrator authentication token <?xml version="1.0" encoding="UTF-8" standalone="yes"?><token name="RPC2" creationTime="2023-11-20T12:22:12.45Z" value="<Administrator_Token>"/> |
JetBrains TeamCity CVE-2023-42793 Vulnerability Exploit Example
Although JetBrains released a patch for the vulnerability, patching the vulnerability only limits future exploitations. If the network is compromised prior to patching, security teams are advised to do threat hunting.
Nation-State APT Groups Exploiting JetBrainsTeamCity CVE-2023-42793 Vulnerability
CozyBear: The Infamous Russian APT Group Behind the SolarWinds Attacks
CozyBear is a Russian nation-state advanced persistent threat group behind the infamous Solarwinds supply chain attack. The group has many aliases and is also known as APT29 and Nobelium. CozyBear has been active since 2013 and primarily targets governmental, diplomatic, think-tank, healthcare, and energy organizations for intelligence-gathering purposes. The Russian APT group is known for its stealth and persistence. They employ a range of tactics and techniques to infiltrate target networks and remain undetected for extended periods. This includes the use of custom malware, spear-phishing campaigns, and the exploitation of vulnerabilities in widely used software. Their approach often involves the use of encrypted communications and the careful management of their network infrastructure to avoid detection. Rather than immediate theft of data or disruption of services, CozyBear focuses on long-term access to the compromised networks allowing them to continuously monitor the activities of their targets and gather intelligence over time.
In a joint advisory, CISA and other authoring cyber security agencies reported that CozyBear exploited CVE-2023-42793 to compromise the networks of multiple software developers. Since the vulnerability allows them to gain administrative access to the network, CozyBear was able to exfiltrate database files and source code from compromised systems. To avoid being detected, adversaries used "Bring Your Own Vulnerable Driver" techniques to disable EDR and antivirus software.
CozyBear uses open-source and custom tools to stay hidden and persistent in the compromised environment. EDRSandBlast, GraphicalProton, WinPEAS, Mimikatz, Rubeus, and Rsockstun are some of the tools in CozyBear's toolset.
Hidden Cobra: North Korean Nation State APT Group
Hidden Cobra is a North Korean nation-state threat actor that targets aerospace, defense, IT, and media industries based in the US, UK, India, and Russia. Hidden Cobra is a subset of Lazarus Group and is also known as Diamond Sleet or ZINC. The APT group has been implicated in a variety of cyber operations ranging from espionage to large-scale cyber theft and destructive attacks. In terms of tactics and capabilities, ZINC is known for its innovative and evolving techniques. The group uses a mix of custom-built and publicly available malware tools, often leveraging social engineering through spear-phishing campaigns to gain initial access to target networks. Once inside, they employ sophisticated methods to maintain access, avoid detection, and accomplish their objectives, which seem to be aligned with the strategic interests of the North Korean government.
Figure 1: Diamond Sleet Attack Chain [2]
In early October 2023, Hidden Cobra was observed to exploit the CVE-2023-42793 vulnerability for initial access to target networks. After initial access, adversaries infect the compromised network with Forest64.exe to establish persistence and dump credentials. These malicious actions provide threat actors long-term access to victim organizations and allow them to exfiltrate sensitive data over time.
Andariel: Another Lazarus-affiliated APT Group
Andariel is a North Korean cyber-espionage and cybercrime group. Similar to Hidden Cobra, Andariel is also a part of the Lazarus Group. The group is also known as Onyx Sleet or PLUTONIUM. Andariel has gained attention for its sophisticated cyber attacks and diverse range of targets. Andariel specializes in conducting covert cyber operations with the aim of both espionage and financial gain. The group focuses on collecting intelligence, disrupting operations, and stealing financial assets. Unlike some other APT groups that primarily target government and military organizations, Andariel is known for its diverse target range, including businesses and financial institutions, as well as South Korean government agencies.
Figure 2: Onyx Sleet Attack Chain [2]
In October 2023, MSTIC reported that Andariel was abusing CVE-2023-42793 to gain initial access. After successful exploitation, Andariel creates a new user with administrator privileges and deploys a proxy tool named HazyLoad to establish a persistent connection between compromised systems and adversary-controlled C2 infrastructure.
How Picus Helps Simulate JetBrains TeamCity CVE-2023-42793 Attacks?
We also strongly suggest simulating the JetBrains TeamCity CVE-2023-42793 Vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Complete Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as Citrix Bleed, Follina, and Looney Tunables, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for JetBrains TeamCity CVE-2023-42793 vulnerability exploitation attacks:
Threat ID |
Threat Name |
Attack Module |
29141 |
JetBrains Hub Web Attack Campaign |
Web Application |
52293 |
GraphicalProton Backdoor Malware Download Threat |
Network Infiltration |
23139 |
GraphicalProton Backdoor Malware Email Threat |
Email Infiltration (Phishing) |
23181 |
APT29 Threat Group Campaign Backdoor Malware Download Threat |
Network Infiltration |
66164 |
APT29 Threat Group Campaign Backdoor Malware Email Threat |
Email Infiltration (Phishing) |
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address JetBrains TeamCity CVE-2023-42793 vulnerability and other vulnerability exploitation attacks in preventive security controls. Currently, Picus Labs validated the following signatures for JetBrains TeamCity CVE-2023-42793 vulnerability and Graphical Proton Backdoor malware:
Security Control |
Signature ID |
Signature Name |
Check Point NGFW |
0FBD4F59A |
Backdoor.undefined.GraphicalProton.TC.194aibLp |
Check Point NGFW |
0CD114C55 |
Backdoor.Win32.GraphicalProton.TC.5e7dpGBo |
Check Point NGFW |
0D7AD2DE8 |
Backdoor.undefined.GraphicalProton.TC.e6d0afZI |
Check Point NGFW |
0A452A9B3 |
Backdoor.Win32.GraphicalProton.TC.3847IObR |
Check Point NGFW |
0BA49BF69 |
Backdoor.undefined.GraphicalProton.TC.be58Ftsr |
Check Point NGFW |
0B8AEB996 |
Backdoor.undefined.GraphicalProton.TC.3d75jugq |
Cisco FirePower |
1.1002.19 |
SERVER-IIS cmd.exe access |
Forcepoint NGFW |
File_Malware-Blocked |
|
Fortigate AV |
10165121 |
W64/Dukes.RCE!tr |
Fortigate AV |
10165124 |
W32/Dukes.RCE!tr |
Fortigate WAF |
50050030 |
Generic Attacks |
Fortiweb |
050050030 |
Generic Attacks |
Snort |
1.1002.19 |
SERVER-IIS cmd.exe access |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Complete Security Validation Platform.
References
[1] "Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally," Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a. [Accessed: Dec. 14, 2023]
[2] M. T. Intelligence, "Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability," Microsoft Security Blog, Oct. 18, 2023. Available: https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/. [Accessed: Dec. 14, 2023]
[3] "CVE-2023-42793," AttackerKB. Available: https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793/rapid7-analysis. [Accessed: Dec. 14, 2023]