North Korean Attacks Exploiting JetBrains TeamCity Vulnerability

Background:

The program can be accessed through TeamCity Cloud, a cloud-hosted solution, or installed on an individual server using TeamCity on-premises. Over 3,000 of these on-site servers are directly connected to the Internet, claims Shodan.

Applications development, testing, and deployment are automated using CI/CD servers such as TeamCity. This implies that these servers have access to source code, one of a business’s most precious assets. They maintain control over the build artifacts that are included with software releases in addition to storing private keys and secrets because they are also in charge of developing and implementing this source code. Because of this, attackers view CI/CD servers as very valuable targets.

CVE-2023-42793:

Versions of TeamCity server 2023.05.3 and lower are vulnerable to authentication bypasses, granting remote code execution (RCE) to an unauthenticated attacker. This makes it possible for hackers to steal private keys and stored service secrets in addition to source code. Even worse, attackers can inject malicious code into the build process, compromising product releases and affecting all users in the process.

The presence of the RPC2 authentication token is a reliable sign of compromise. It’s possible that a malicious user produced a token with this name in order to access the server without authorization.

Exploitation of CVE-2023-42793:

Microsoft has seen that two North Korean nation-state threat actors, Diamond Sleet, and Onyx Sleet, have been abusing CVE-2023-42793. This remote-code execution vulnerability has affected certain JetBrains TeamCity server versions, since early October 2023.

By breaking into build environments, Diamond Sleet and other North Korean threat actors have effectively conducted software supply chain attacks in the past. Microsoft determines that this action presents an especially high risk to the impacted entities in light of this.

Diamond Sleet:

Espionage, data theft, financial gain, and network destruction are the top priorities of the North Korean nation-state threat actor Diamond Sleet (ZINC). Typically, the actor targets global defense-related organizations, media outlets, and IT infrastructure. Security researchers were the focus of Diamond Sleet’s January 2021 attack, and in September 2022, Microsoft released a paper detailing how the actor had turned open-source software into a weapon. A German software supplier was compromised in August 2023 by Diamond Sleet’s software supply chain attack.

One of Diamond Sleet’s two attack routes involves a successful penetration of TeamCity servers, which is followed by the threat actor deploying a known implant dubbed ForestTiger from legitimate infrastructure that it has previously penetrated.

A second version of the attack uses the first foothold to load a malicious DLL (DSROLE.dll, also known as RollSling, Version.dll, or FeedLoad) via a method called DLL search-order hijacking. This DLL can then be used to launch a remote access trojan (RAT) or a next-stage payload.

Onyx Sleet:

The North Korean nation-state threat actor Onyx Sleet (PLUTONIUM) mostly targets defense and IT services companies in South Korea, the US, and India. Onyx Sleet uses a powerful collection of tools that they have created to gain ongoing access to victim surroundings while avoiding detection. The actor regularly gains early access to targeted organizations by taking advantage of N-day vulnerabilities.

Onyx Sleet’s intrusions leverage the access provided by the JetBrains TeamCity bug exploitation to establish a new user account named krtbgt, which is probably meant to mimic the Kerberos Ticket Granting Ticket.

Securing CI/CD Platforms:

Applications that are used in CI/CD pipelines are exposed to a number of possible security threats. The following are some approaches that can be incorporated into CI/CD pipelines to enhance application security (AppSec):

• Source Composition Analysis (SCA): In order to defend against supply chain assaults and vulnerable third-party code, SCA solutions identify the third-party dependencies that an application needs and the potential vulnerabilities that they may have.
• Source Code Scanning: Static application security testing, or SAST, looks for vulnerabilities in an application’s source code. DevOps teams can find vulnerabilities early in the software development lifecycle (SDLC) and fix them at a lower cost of remediation by using code scanning technologies.
• Security Testing: Dynamic application security testing (DAST) solutions can find vulnerabilities in functional applications during the testing phase of the SDLC. These tests can find problems that SAST solutions are unable to uncover, even when they take place later in the SDLC.
• Runtime Security: It’s possible for vulnerabilities to go undetected during testing or to be found after a program is put into production. After an application is delivered to production, runtime security solutions like runtime application self-protection (RASP) can continue to monitor and defend it.