According to a joint report issued on 13 December 2023, by Polish, American, and British authorities, the Russian Foreign Intelligence Service (SVR) is engaged in a global exploitation campaign of CVE-2023-42793, a critical vulnerability impacting JetBrains TeamCity, a tool popular among developers enabling them to automate various tasks in the areas of code compiling, software building, and testing.
The vulnerability consists of an authentication bypass that may enable remote code execution and impacts versions of the software preceding 2023.05.4. There is a public exploit for this vulnerability that was released on September 29.
The report provides the following chain of attack:
The initial intrusion reportedly occurred via CVE-2023-42793 exploitation.
Next, the actor moves to an internal network discovery phase where Windows native tools are used to conduct reconnaissance.
The actor exfiltrated files containing information on the host and the network, with a focus on SQL server-related files.
Privilege escalation was achieved via the Bring Your Own Driver technique, which involves the installation of a signed vulnerable driver onto a compromised machine to enable subsequent exploitation of such vulnerability in kernel mode. In this specific case, the actor exploited the vulnerable driver to deploy EDRSandBlast, a tool used to evade endpoint detection and response (EDR) or antivirus (AV) detection.
At that point, the actor was able to deploy various backdoors, including GraphicalProton. For this purpose, the agencies observed the exploitation of other vulnerabilities, including a DLL hijacking flaw in Zabbix, enabling the injection of a malicious DLL containing the GraphicalProton backdoor. Other tools, such as Mimikatz, were also observed in this phase of the attack.
GraphicalProton enables covert command-and-control channel communication, leveraging cloud services such as Microsoft OneDrive and Dropbox, which enable the attacker to evade network monitoring controls.
The campaign reportedly targeted organizations across sectors globally.
As a mitigation measure, it is critical to ensure JetBrains TeamCity instances running within organizations are properly patched and conduct threat hunting for unusual activity potentially consistent with scanning and reconnaissance.