Multiple North Korean Threat Actors Exploiting the TeamCity CVE-2023-42793 Vulnerability

Cyber Security Threat Summary:
Two North Korean nation-state actors, Lazarus (or Zinc) and Plutonium (or Andariel), have been exploiting a known remote code execution vulnerability in the TeamCity continuous integration and continuous deployment tool. The vulnerability, CVE-2023-42793, was patched by JetBrains in version 2023.05.4. These actors have been targeting on-premises instances of TeamCity, deploying backdoors, stealing credentials, and more. Microsoft's threat intelligence group observed these attacks and noted that both groups may be opportunistically compromising vulnerable servers, but they have also used techniques that could provide persistent access to victim environments.

Security Officer Comments:
Lazarus targeted media, IT services, and defense organizations, carrying out attacks related to espionage, data theft, financial gain, and network destruction. They created scheduled tasks for persistence, deployed the ForestTiger backdoor, and performed DLL search-order hijacking.

Plutonium targeted defense and IT services organizations and established a new user account on compromised systems, deployed a proxy tool called HazyLoad for persistent connections, and stopped the TeamCity service. These attacks pose a high risk to impacted organizations and could potentially be used as a supply-chain attack vector.

Suggested Correction(s):
Microsoft recommends patching, blocking specific IPs, addressing malicious activity, and checking for lateral movement. For more detailed information and a complete list of mitigation measures please see Microsoft’s Advisory directly.