Published: January 20, 2024 on our newsletter Security Fraud News & Alerts Newsletter.
The FBI, U.S. CISA, and the NSA, along with some agencies in allied countries including the Polish Military Counterintelligence Service (SKW) and the UK’s National Cyber Security Centre (NCSC) are warning that Russian Foreign Intelligence Service (SVR) cyber actors are exploiting a JetBrains TeamCity software vulnerability (CVE-2023-42793) at a large scale. They are actively targeting servers hosting JetBrains TeamCity software. This has been occurring since September 2023.
TeamCity software is utilized by software developers for managing and automating various processes, including software compilation, building, testing, and releases. In the event of a compromise, unauthorized access to a TeamCity server could allow malicious actors into crucial areas such as providing access to the source code and signing certificates. It could also give them the capability to manipulate software compilation and deployment processes. This could be leveraged for conducting supply chain operations. This was done previously in 2020 in the SolarWinds incident.
Thus far, the organizations think the number of victims has been limited and the types of compromises have appeared to be somewhat opportunistic. However, this group has shown themselves to be patient in this case. It’s been observed that they tend to move laterally within networks, They are ever-so-patient, taking time to deploy additional backdoors and take other strategic actions to ensure they can hang around in the environments they’ve let themselves into for an extended period of time.
To raise awareness about these actions by Russia and help organizations respond to potential threats, the various agencies reporting the threat are getting the word out regarding the SVR's most recent compromise. This is intended to help organizations conduct their own investigations, secure their networks, and provide actionable indicators of compromise (IOCs) for entities that may have fallen victim to the breach.
For organizations with systems that could be affected by this threat, it’s strongly advised to apply available patches immediately. If that isn’t possible, consider implementing workarounds until the time is right for your organization to get those patches applied. In the meantime, the authoring agencies strongly recommend assuming you do have systems that were compromised and initiate threat-hunting activities.
Should there be any indication that your organization has been compromised, it’s recommended that administrators apply the incident response recommendations provided in the advisory. These can be found on the CISA website. Additionally, any key findings should be promptly reported to both the FBI and CISA.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at advisor@nadicent.com