The Russian Foreign Intelligence Service (SVR), also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard, has been actively exploiting a vulnerability in JetBrains TeamCity software, identified as CVE-2023-42793. This activity has been ongoing since at least September 2023 and has been the subject of a joint government advisory issued by several cybersecurity and intelligence agencies. Here are the key details:
Targeting JetBrains TeamCity Software: SVR-affiliated cyber actors have been targeting servers hosting JetBrains TeamCity software. This enabled them to bypass authorization and conduct arbitrary code execution, which is a significant threat to cybersecurity integrity.
CVE-2023-42793 Exploitation: The vulnerability exploited by these actors, CVE-2023-42793, relates to a TeamCity server bypass authentication issue. This vulnerability was disclosed and patched in September, highlighting the importance of timely software updates and patch management in cybersecurity.
Global Hacking Campaign: Cozy Bear, linked with the SVR, has been conducting a global hacking campaign targeting these servers. This campaign has been acknowledged and warned against by government agencies in the US, UK, and Poland, underscoring the widespread nature of this threat.
Joint Advisory by Security Agencies: Agencies including the US Federal Bureau of Investigation (FBI), CISA, NSA, Poland's SKW, CERT Polska, and the UK's NCSC have issued warnings about this threat. The advisory indicates a coordinated effort to raise awareness and combat the exploitation of this vulnerability by SVR cyber actors.
The exploitation of CVE-2023-42793 by the SVR demonstrates the continuous need for vigilance in cybersecurity, especially concerning software vulnerabilities that can be leveraged by state-affiliated actors for espionage or other malicious activities. It also underscores the importance of collaboration among international cybersecurity agencies to address these global threats.
IoC
DOMAIN
- poetpages.com
- matclick.com
IPv4
- 65.21.51.58
- 103.76.128.34
SHA256
- f6194121e1540c3553273709127dfa1daab96b0acfab6e92548bfb4059913c69
- f1b40e6e5a7cbc22f7a0bd34607b13e7e3493b8aad7431c47f1366f0256e23eb
- ebe231c90fad02590fc56d5840acc63b90312b0e2fee7da3c7606027ed92600e
- d724728344fcf3812a0664a80270f7b4980b82342449a8c5a2fa510e10600443
- cd3584d61c2724f927553770924149bb51811742a461146b15b34a26c92cad43
REFERENCES
- https://www.cisa.gov/news-events/alerts/2023/12/13/cisa-and-partners-release-advisory-russian-svr-affiliated-cyber-actors-exploiting-cve-2023-42793#:~:text=Since%20September%202023%2C%20Russian%20Foreign,and%20conduct%20arbitrary%20code%20execut
- https://www.cybersecurity-review.com/news-december-2023/russian-foreign-intelligence-service-svr-exploiting-jetbrains-teamcity-cve-globally/#:~:text=The%20US%20Federal%20Bureau%20of,JetBrains%20TeamCity%20software%20since%20Septem
- https://www.preludesecurity.com/advisories/aa23-347a#:~:text=December%2013%2C%202023%20What%20we,42793%29%20to%20target%20software%20developers
- https://www.techtarget.com/searchsecurity/news/366563365/Russian-APT-exploiting-JetBrains-TeamCity-vulnerability#:~:text=CISA%20issued%20a%20joint%20government,disclosed%20and%20patched%20in%20September
- https://www.infosecurity-magazine.com/news/cozy-bear-russia-jetbrains-teamcity/#:~:text=Cozy%20Bear%2C%20a%20threat%20group,in%20the%20US%2C%20the
- https://otx.alienvault.com/pulse/657a2c924ea0e3e9e95e9433
TAGS
cisa, ck techniques, graphicalproton, ncsc, cert polska, mimikatz, powersploit, cozybear, wellmess, wellmail, sorefang, encrypt, diplomatic orbiter
No comments:
Post a Comment