Global TeamCity exploitation opens door to SolarWinds-style nightmare

v class="columns small-12 single-post-content_text-container">

APT29, the notorious Russian advanced persistent threat behind the 2020 SolarWinds hack, is actively exploiting a critical security vulnerability in JetBrains TeamCity that could open the door to rampant software supply chain attacks.

That’s the word from CISA, the FBI, the NSA, and a host of international partners, who said in a joint alert today that APT29 (aka CozyBear, the Dukes, Midnight Blizzard, or Nobelium) is hammering servers hosting TeamCity software “at a large scale” using the unauthenticated remote code execution (RCE) bug. According to the feds, the exploitation of the issue, tracked as CVE-2023-42793 (CVSS score of 9.8), started in September after JetBrains patched the flaw and Rapid7 released a public proof-of-concept (PoC) exploit for it; but now, it has grown to be a worrying global phenomenon that could result in widespread damage.

The affected platform is a software development lifecycle (SDLC) management tool, which houses everything from source code to signing certificates. Successful incursions could give cyberattackers access to that valuable data, but could also provide a way to alter software compilations and deployment processes — raising the possibility that another SolarWinds-type attack wave could be in the offing.

“[An exploit] may allow for deploying a malicious update which, in the simplest scenario, could execute adversary tools resulting in enabling access to devices or whole networks,” according to Wednesday’s joint alert on the TeamCity attacks. “In more complicated scenarios, access to the build pipeline could allow for compromising compiled source code and for introduction of almost indetectable modification to software — such as minuscule changes to cryptography protocols that could enable decryption of the protected data.”

Persistent TeamCity Backdoors Withstand Patching

In the SolarWinds incident, APT29 was able to stow away on legitimate SolarWinds software updates, landing automatically on legions of victim networks. From the 18,000 compromised, the group cherry-picked targets for second-wave incursions, successfully infiltrating several US government agencies and tech companies including Microsoft and FireEye (now part of Trellix).

For now, the TeamCity attacks have not yet gone that far. But APT29, which the agencies have linked to Russia’s Foreign Intelligence Service (SVR), has “been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments,” according to the alert.

And indeed, if you’re a nation-state threat looking for prime lurking opportunities, one of the benefits of using the exploit is the fact that patching alone won’t mitigate the danger. As JetBrains pointed out in its original bug advisory, “Any backdoors are likely to persist and remain undetected after the TeamCity upgrade or security patch plugin are subsequently applied, leaving environments at risk of further exploitation.”

To read the complete article, visit Dark Reading.