Cozy Bear Hackers Target JetBrains TeamCity Servers in Global Campaign

Cyber Security Threat Summary:
In a joint advisory published on December 13, 2023, six security and intelligence agencies in the US, the UK and Poland warned that Cozy Bear has been exploiting an authentication bypass vulnerability in TeamCity (CVE-2023-42793) since at least September 2023. If compromised, access to a TeamCity server would provide malicious actors with access to that software developer’s source code, signing certificates, and the ability to subvert software compilation and deployment processes. The access could also be used to conduct software supply chain attacks.

Security Officer Comments:
JetBrains published a patch for the issue on September 20, 2023. However, threat intelligence provider PRODRAFT subsequently reported that the release of technical details led to immediate exploitation by a range of ransomware groups. Microsoft also reported in October that two North Korean groups it tracks as Diamond Sleet and Onyx Sleet were exploiting the same vulnerability. On December 13, the UK-backed Shadowserver Foundation said it was still detecting 800 unpatched instances of JetBrains TeamCity worldwide. Cozy Bear, also known as the Dukes, Nobelium, Midnight Blizzard and APT 29, is a group of highly skilled hackers with reported ties to the Russian foreign intelligence service (SVR). The group has been active since at least 2008. Their activity has previously been attributed to the 2016 info-stealing raid on the Democratic National Committee (DNC), the SolarWinds campaign and separate raids targeting intellectual property related to COVID-19 vaccine development.

Suggested Correction(s):
In the joint advisory, CISA provided a technical analysis of the exploitation of CVE-2023-42793 by Cozy Bear, as well as a list of indicators of compromise (IOCs). They also issued a set of mitigation recommendations.

Some of the mitigations were general security measures, like keeping all operating systems, software, and firmware up to date, applying multifactor authentication (MFA) and using an endpoint detection and response (EDR) solution.

Others were specifically provided to mitigate a potential compromise in JetBrains TeamCity. Those included:

  • Apply available patches for CVE-2023-42793 issued by JetBrains TeamCity in mid-September 2023, if not already completed
  • Monitor the network for evidence of encoded commands and execution of network scanning tools
  • Ensure host-based anti-virus/endpoint monitoring solutions are enabled and set to alert if monitoring or reporting is disabled, or if communication is lost with a host agent for more than a reasonable amount of time
  • Require MFA for all services to the extent possible, particularly for email, virtual private networks, and accounts that access critical systems.