CVE-2023-42793: CozyBear Targets Software Developers Exploiting JetBrains TeamCity

The Blue Report 2024

Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.

DOWNLOAD

On December 13, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on the Russian nation-state advanced persistent threat, CozyBear [1]. CozyBear is observed to exploit an unauthenticated remote code execution vulnerability found in JetBrains TeamCity software for data exfiltration and possibly supply chain attacks. JetBrains TeamCity CVE-2023-42793 has a CVSS score of 9.8 (Critical).

In this blog, we explained how CozyBear and other APT groups exploit the JetBrains TeamCity CVE-2023-42793 and how organizations can defend against CVE-2023-42793 attacks.

Simulate Vulnerability Exploitation Threats with 14-Day Free Trial of Picus Platform

JetBrains TeamCity CVE-2023-42793 Vulnerability Explained

JetBrains TeamCity is a continuous integration and continuous delivery (CI/CD) server, and it is widely adopted across a range of industries, from startups to large enterprises. On September 6, 2023, JetBrains disclosed an authentication bypass vulnerability found in TeamCity On-Premises, which can lead to unauthenticated remote code execution. CVE-2023-42793 vulnerability has a CVSS score of 9.8 (Critical).  The vulnerability affects TeamCity server versions prior to 2023.05.4.

Since CI/CD solutions are crucial in modern software development, high-impact vulnerabilities may have far-reaching implications, including intellectual property theft, compromise of code signing certificates, and distribution of compromised software to end-users. Such vulnerabilities are also potential supply chain attack vectors. In their advisory, CISA disclosed that the Russian APT group CozyBear used TeamCity CVE-2023-42793 vulnerability to gain initial access, escalate privileges, move laterally, and establish persistence in technology companies at large scale. In another advisory, Microsoft Threat Intelligence Center (MSTIC) published that two North Korean nation-state actors, Hidden Cobra and Andariel, are also exploiting CVE-2023-42793 vulnerability to gain initial access, deploy backdoors, and exfiltrate sensitive data [2]. Organizations are advised to patch their vulnerable JetBrains TeamCity servers as soon as possible.

How JetBrains TeamCity CVE-2023-42793 Exploit Works?

JetBrains TeamCity CVE-2023-42793 vulnerability is an authentication bypass vulnerability. The vulnerability is found in the "RequestInterceptiors.java" file, and it is caused by the wildcard path "/**/RPC2" in the "myPreHandlingDisabled" PathSet [3]. If any incoming HTTP request matches the wildcard path "/**/RPC2", the TeamCity server does not perform authentication checks. 

Adversaries abuse this vulnerability to obtain an access token by sending an HTTP POST request to "/app/rest/users/id:1/tokens/RPC2" endpoint. In this example, RPC2 is the adversary-given name for the requested token, and it allows adversaries to gain access to an authentication token with the privileges of the user with the ID of 1, which is always the administrator created during system installation.

After gaining administrative access to the vulnerable TeamCity server, adversaries can execute arbitrary commands, move laterally in the victim's network, and deploy a backdoor for persistent connection.

//Attacker-crafted POST request

curl -X POST http://<TeamCity_Server_IP>:8111/app/rest/users/id:1/tokens/RPC2


//TeamCity Server's response with Administrator authentication token

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><token name="RPC2" creationTime="2023-11-20T12:22:12.45Z" value="<Administrator_Token>"/>

JetBrains TeamCity CVE-2023-42793 Vulnerability Exploit Example

Although JetBrains released a patch for the vulnerability, patching the vulnerability only limits future exploitations. If the network is compromised prior to patching, security teams are advised to do threat hunting.

Nation-State APT Groups Exploiting JetBrainsTeamCity CVE-2023-42793 Vulnerability

CozyBear: The Infamous Russian APT Group Behind the SolarWinds Attacks

CozyBear is a Russian nation-state advanced persistent threat group behind the infamous Solarwinds supply chain attack. The group has many aliases and is also known as APT29 and Nobelium. CozyBear has been active since 2013 and primarily targets governmental, diplomatic, think-tank, healthcare, and energy organizations for intelligence-gathering purposes. The Russian APT group is known for its stealth and persistence. They employ a range of tactics and techniques to infiltrate target networks and remain undetected for extended periods. This includes the use of custom malware, spear-phishing campaigns, and the exploitation of vulnerabilities in widely used software. Their approach often involves the use of encrypted communications and the careful management of their network infrastructure to avoid detection. Rather than immediate theft of data or disruption of services, CozyBear focuses on long-term access to the compromised networks allowing them to continuously monitor the activities of their targets and gather intelligence over time.

In a joint advisory, CISA and other authoring cyber security agencies reported that CozyBear exploited CVE-2023-42793 to compromise the networks of multiple software developers. Since the vulnerability allows them to gain administrative access to the network, CozyBear was able to exfiltrate database files and source code from compromised systems. To avoid being detected, adversaries used "Bring Your Own Vulnerable Driver" techniques to disable EDR and antivirus software. 

CozyBear uses open-source and custom tools to stay hidden and persistent in the compromised environment. EDRSandBlast, GraphicalProton, WinPEAS, Mimikatz, Rubeus, and Rsockstun are some of the tools in CozyBear's toolset. 

Hidden Cobra: North Korean Nation State APT Group

Hidden Cobra is a North Korean nation-state threat actor that targets aerospace, defense, IT, and media industries based in the US, UK, India, and Russia. Hidden Cobra is a subset of Lazarus Group and is also known as Diamond Sleet or ZINC. The APT group has been implicated in a variety of cyber operations ranging from espionage to large-scale cyber theft and destructive attacks. In terms of tactics and capabilities, ZINC is known for its innovative and evolving techniques. The group uses a mix of custom-built and publicly available malware tools, often leveraging social engineering through spear-phishing campaigns to gain initial access to target networks. Once inside, they employ sophisticated methods to maintain access, avoid detection, and accomplish their objectives, which seem to be aligned with the strategic interests of the North Korean government.

Figure 1: Diamond Sleet Attack Chain [2]

In early October 2023, Hidden Cobra was observed to exploit the CVE-2023-42793 vulnerability for initial access to target networks. After initial access, adversaries infect the compromised network with Forest64.exe to establish persistence and dump credentials. These malicious actions provide threat actors long-term access to victim organizations and allow them to exfiltrate sensitive data over time. 

Andariel: Another Lazarus-affiliated APT Group

Andariel is a North Korean cyber-espionage and cybercrime group. Similar to Hidden Cobra, Andariel is also a part of the Lazarus Group. The group is also known as Onyx Sleet or PLUTONIUM. Andariel has gained attention for its sophisticated cyber attacks and diverse range of targets. Andariel specializes in conducting covert cyber operations with the aim of both espionage and financial gain. The group focuses on collecting intelligence, disrupting operations, and stealing financial assets. Unlike some other APT groups that primarily target government and military organizations, Andariel is known for its diverse target range, including businesses and financial institutions, as well as South Korean government agencies. 

Figure 2: Onyx Sleet Attack Chain [2]

In October 2023, MSTIC reported that Andariel was abusing CVE-2023-42793 to gain initial access. After successful exploitation, Andariel creates a new user with administrator privileges and deploys a proxy tool named HazyLoad to establish a persistent connection between compromised systems and adversary-controlled C2 infrastructure.

How Picus Helps Simulate JetBrains TeamCity CVE-2023-42793 Attacks?

We also strongly suggest simulating the JetBrains TeamCity CVE-2023-42793 Vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Complete Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as Citrix Bleed, Follina, and Looney Tunables, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for JetBrains TeamCity CVE-2023-42793 vulnerability exploitation attacks:

Threat ID

Threat Name

Attack Module

29141

JetBrains Hub Web Attack Campaign

Web Application

52293

GraphicalProton Backdoor Malware Download Threat

Network Infiltration

23139

GraphicalProton Backdoor Malware Email Threat

Email Infiltration (Phishing)

23181

APT29 Threat Group Campaign Backdoor Malware Download Threat

Network Infiltration

66164

APT29 Threat Group Campaign Backdoor Malware Email Threat

Email Infiltration (Phishing)


Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address JetBrains TeamCity CVE-2023-42793 vulnerability and other vulnerability exploitation attacks in preventive security controls. Currently, Picus Labs validated the following signatures for JetBrains TeamCity CVE-2023-42793 vulnerability and Graphical Proton Backdoor malware:

Security Control

Signature ID

Signature Name

Check Point NGFW

0FBD4F59A

Backdoor.undefined.GraphicalProton.TC.194aibLp

Check Point NGFW

0CD114C55

Backdoor.Win32.GraphicalProton.TC.5e7dpGBo

Check Point NGFW

0D7AD2DE8

Backdoor.undefined.GraphicalProton.TC.e6d0afZI

Check Point NGFW

0A452A9B3

Backdoor.Win32.GraphicalProton.TC.3847IObR

Check Point NGFW

0BA49BF69

Backdoor.undefined.GraphicalProton.TC.be58Ftsr

Check Point NGFW

0B8AEB996

Backdoor.undefined.GraphicalProton.TC.3d75jugq

Cisco FirePower

1.1002.19

SERVER-IIS cmd.exe access

Forcepoint NGFW

 

File_Malware-Blocked

Fortigate AV

10165121

W64/Dukes.RCE!tr

Fortigate AV

10165124

W32/Dukes.RCE!tr

Fortigate WAF

50050030

Generic Attacks

Fortiweb

050050030

Generic Attacks

Snort

1.1002.19

SERVER-IIS cmd.exe access

Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trialof the Picus Complete Security Validation Platform.

References

[1] "Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally," Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a. [Accessed: Dec. 14, 2023]

[2] M. T. Intelligence, "Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability," Microsoft Security Blog, Oct. 18, 2023. Available: https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/. [Accessed: Dec. 14, 2023]

[3] "CVE-2023-42793," AttackerKB. Available: https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793/rapid7-analysis. [Accessed: Dec. 14, 2023]