JetBrain’s TeamCity servers became a target to a Russian-backed attacker CozyBear. Using a vulnerability discovered back in March 2023, hackers were able to execute arbitrary code without any authorization.
TeamCity Vulnerability Exploited by CozyBear
JetBrains TeamCity servers, a crucial solution in the software development lifecycle, have recently been targeted in a cyberattack similar to the infamous SolarWinds hack. The Russian Foreign Intelligence Service (SVR)-backed group CozyBear exploited a severe vulnerability in these servers, tracked as CVE-2023-42793. This vulnerability allowed unauthorized attackers to bypass security measures and execute code remotely without user interaction. As a result, this poses a significant risk to over 30,000 JetBrains customers globally.
The aforementioned exploit was discovered in September and has been used to compromise an extensive array of companies and over a hundred devices worldwide, affecting organizations in the United States, Europe, Asia, and Australia. The victims come from various sectors, from billing and finance to gaming and medical devices. The widespread impact underlines the critical nature of the flaw and the tactics employed by CozyBear, previously known for the SolarWinds supply chain attack in 2020.
CozyBear Tactics and Techniques
CozyBear used various tactics and techniques around Mimikatz in the cyberattack on JetBrains TeamCity servers. This is a well-known tool for extracting credentials from the Windows Registry. It helped them steal information and escalate their access privileges within the compromised systems. CozyBear gained more profound and extensive control over the affected systems by elevating their access rights.
To further enhance their stealth and efficacy, CozyBear deployed the GraphicalProton backdoor. This backdoor uses standard cloud storage services such as OneDrive and Dropbox for command-and-control operations. Specifically, he used a randomly generated BMP file to save the information. This allowed CozyBear to mask its malicious communications amidst regular traffic, significantly reducing the likelihood of detection.
Another SolarWinds Attack?
The SolarWinds attack in 2020 was due to the company’s credentials being publicly available on GitHub. Cybersecurity researcher Vinoth Kumar discovered in 2018 that SolarWinds’ update server credentials were openly accessible on their GitHub repository. However, no one seems to be paying attention then. The attack compromised high-profile targets and affected about 18,000 SolarWinds clients.
In addition, prompt action is crucial in responding to security lapses. Overall, the SolarWinds attack underscores cybersecurity’s ongoing and evolving challenge in a highly interconnected digital world, where vigilance and proactive defense are essential. However, the reality we are seeing today suggests otherwise.
Mitigation and Response
JetBrains has released a patch to address security issues and recommends applying it immediately to reduce risks. The fixes are included in TeamCity servers version 2023.05.4 or later. Despite these efforts, Shadowserver reports show that about 800 instances worldwide still have not been patched, with over 230 located in the United States. It looks like a flash mob of ignoring installing updates and subsequent asspain is becoming a trend.