North Korean threat actors are actively exploiting a critical vulnerability in a continuous integration/continuous deployment (CI/CD) application used in software development, Microsoft has warned.
The tech giant said it has observed two North Korean nation-state actors – Diamond Sleet and Onyx Sleet – exploiting the remote code execution vulnerability, CVE-2023-42793, since early October 2023.
The flaw, which has a 9.8 CVSS severity rating, affects multiple versions of JetBrains TeamCity server used by organizations for DevOps and other software activities.
Microsoft noted that Diamond Sleet and Onyx Sleet have previously successfully carried out software supply chain attacks by infiltrating build environments. Therefore, it assesses this activity as posing “a significantly high risk” to affected organizations.
Based on the profile of organizations affected by these intrusions so far, the researchers believe the attackers may be opportunistically compromising vulnerable servers. “However, both actors have deployed malware and tools and utilized techniques that may enable persistent access to victim environments,” read the advisory.
How the Groups Target Organizations
Microsoft highlighted the different focuses and approaches of the two North Korean threat actors. Diamond Sleet primarily targets media, IT services and defense-related entities around the world for the purposes of espionage, data theft, financial gain and network destruction.
Once it has compromised TeamCity servers, the group deploys ‘ForestTiger’ malware to execute commands on the breached server. Another attack path used by Diamond Sleet leverages PowerShell on compromised servers to download a malicious DLL from attacker infrastructure to carry out DLL search-order hijacking.
Onyx Sleet’s main targets are defense and IT services organizations in South Korea, the US, and India. It has developed a set of tools that enables it to establish persistent access to victim environments and remain undetected.
Following successful exploitation of the TeamCity vulnerability, the group deploys a proxy tool known as HazyLoad to establish a persistent connection between the compromised host and attacker-controlled infrastructure.
How to Defend Against These Threats
Microsoft set out a range of actions for organizations using TeamCity to take to prevent and respond to these attacks, including:
- Apply TeamCity’s 2023.05.4 update that contains a fix. A plugin for older TeamCity versions (8.0+) has also been created.
- Use antivirus tools to quickly identify and stop new and unknown threats
- Analyze Microsoft’s indications of compromise (IOC) list to help investigate whether the attackers have compromised your environment.
- Block in-bound traffic from IPs specified in the IOC list.
- If malicious code has been found to have bene launched on a device, immediately isolate the system and perform a reset of credentials and tokens.
- Investigate the device timeline for indications of lateral movement activities using one of the compromised accounts.