Cozy Bear, a threat group linked with the Russian foreign intelligence service (SVR), has been conducting a global hacking campaign targeting servers hosting JetBrains TeamCity software, according to US, UK and Polish government agencies.
In a joint advisory published on December 13, 2023, six security and intelligence agencies in the US, the UK and Poland warned that Cozy Bear has been exploiting an authentication bypass vulnerability in TeamCity (CVE-2023-42793) since at least September 2023.
The #FBI and its partners assess that Russian Foreign Intelligence Service (SVR) cyber actors have been targeting servers hosting JetBrains TeamCity software since September 2023. Click to learn about recommended mitigations for network defenders: https://t.co/teBvDs7nO1 pic.twitter.com/d3a7gfYiAd
— FBI (@FBI) December 13, 2023
TeamCity is a popular product from the Czech software provider JetBrains. Companies use it to manage and automate software compilation, building, testing, and releasing.
“If compromised, access to a TeamCity server would provide malicious actors with access to that software developer’s source code, signing certificates, and the ability to subvert software compilation and deployment processes,” reads the advisory.
This access could also be used to conduct software supply chain attacks. The report noted that the the SVR used such access to compromise SolarWinds and its customers in 2020.
However, in this most recent case, the joint advisory said: “The limited number and seemingly opportunistic types of victims currently identified indicate that the SVR has not used the access afforded by the TeamCity CVE in a similar manner.”
“The SVR has, however, been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments,” it added.
Officials said they have notified dozens of companies across the US, Europe, Asia and Australia after discovering hundreds of compromised devices.
Speaking to Infosecurity, Yaroslav Russkih, head of security at JetBrains, said his company worked on a patch immediately after being informed about the vulnerability. The patch was made available was available in TeamCity 2023.05.4 update, which was released on September 18, 2023.
“Since then, we have been contacting our customers directly or via public posts motivating them to update their software. We also released a dedicated security patch for organizations using older versions of TeamCity that they couldn’t upgrade in time. In addition, we have been sharing the best security practices to help our customers strengthen the security of their build pipelines,” Russkih added.
“As of right now, according to the statistics we have, fewer than 2% of TeamCity instances still operate unpatched software, and we hope their owners patch them immediately. This vulnerability only affects the on-premises instances of TeamCity, while our cloud version was not impacted."
Is It the First Time This Vulnerability Is Being Exploited?
JetBrains published a patch for the issue on September 20, 2023.
However, threat intelligence provider PRODRAFT subsequently reported that the release of technical details led to immediate exploitation by a range of ransomware groups.
Microsoft also reported in October that two North Korean groups it tracks as Diamond Sleet and Onyx Sleet were exploiting the same vulnerability.
On December 13, the UK-backed Shadowserver Foundation said it was still detecting 800 unpatched instances of JetBrains TeamCity worldwide.
We still see nearly 800 JetBrains TeamCity unpatched instances worldwide unfortunately: https://t.co/agsWlW0e20
— Shadowserver (@Shadowserver) December 13, 2023
You can also track CVE-2023-42793 attacks by source here:https://t.co/SWYErE7YV0
If you receive an alert from us, make sure to investigate for signs of compromise https://t.co/tdee1TK4Dn pic.twitter.com/UDv7fXInKb
JetBrains' Russkih commented: "The estimate from the Shadowserver Foundation doesn't distinguish the instances patched with a dedicated security plugin JetBrains released for customers with older versions (since they only look at the version number). We have already reached out to them to discuss possible improvements."
Who are Behind the Cozy Bear Moniker?
Cozy Bear, also known as the Dukes, Nobelium, Midnight Blizzard and APT 29, is a group of highly skilled hackers with reported ties to the Russian foreign intelligence service (SVR).
The group has been active since at least 2008.
Their activity has previously been attributed to the 2016 info-stealing raid on the Democratic National Committee (DNC), the SolarWinds campaign and separate raids targeting intellectual property related to COVID-19 vaccine development.
CISA’s Recommendations to Mitigate CVE-2023-42793 Exploit
In the joint advisory, CISA provided a technical analysis of the exploitation of CVE-2023-42793 by Cozy Bear, as well as a list of indicators of compromise (IOCs).
They also issued a set of mitigation recommendations.
Some of the mitigations were general security measures, like keeping all operating systems, software, and firmware up to date, applying multifactor authentication (MFA) and using an endpoint detection and response (EDR) solution.
Read more: Is MFA Enough to Protect You Against Cyber-Attacks?
Others were specifically provided to mitigate a potential compromise in JetBrains TeamCity. Those included:
- Apply available patches for CVE-2023-42793 issued by JetBrains TeamCity in mid-September 2023, if not already completed
- Monitor the network for evidence of encoded commands and execution of network scanning tools
- Ensure host-based anti-virus/endpoint monitoring solutions are enabled and set to alert if monitoring or reporting is disabled, or if communication is lost with a host agent for more than a reasonable amount of time
- Require MFA for all services to the extent possible, particularly for email, virtual private networks, and accounts that access critical systems
