Protect Your Servers: JetBrains TeamCity Flaw Alert
In recent news, Microsoft has issued a warning about a JetBrains TeamCity flaw being exploited by North Korean threat actors. These attacks, linked to the infamous Lazarus Group, pose a significant risk to servers. In this article, we will explore the details of this threat and, more importantly, provide you with actionable steps to safeguard your servers from potential breaches.
Understanding JetBrains TeamCity Flaw
Microsoft’s report reveals that North Korean threat actors, specifically Diamond Sleet (also known as Labyrinth Chollima) and Onyx Sleet (aka Andariel or Silent Chollima), are actively exploiting a critical security vulnerability known as CVE-2023-42793. This vulnerability has a high CVSS (Common Vulnerability Scoring System) score of 9.8, indicating its severity.
Both Diamond Sleet and Onyx Sleet are part of the Lazarus Group, a notorious North Korean nation-state actor known for its persistent and sophisticated cyber-attacks. These threat actors are taking advantage of the vulnerability in JetBrains TeamCity to breach vulnerable servers, putting businesses at risk.
Two Attack Paths
There are two attack paths employed by these threat actors, each with its own distinct approach. It’s crucial to understand these paths to better defend your servers.
Diamond Sleet’s Approach
In the first attack path used by Diamond Sleet, the threat actor successfully compromises TeamCity servers. Following this breach, they deploy a known implant called ForestTiger. What’s particularly alarming is that this implant is loaded from legitimate infrastructure that the threat actor has previously compromised. This technique makes it harder to detect the intrusion.Because of this, JetBrains TeamCity flaw can prove to be extremely harmful. Because of this, JetBrains TeamCity flaw can prove to be extremely harmful.
The second variant of the attacks by Diamond Sleet is equally concerning. It involves the retrieval of a malicious DLL (DSROLE.dll, also known as RollSling or Version.dll or FeedLoad). This DLL is loaded using a technique known as DLL search-order hijacking. This allows the threat actor to execute a next-stage payload or deploy a remote access trojan (RAT). Microsoft has observed instances where the threat actors combined tools and techniques from both attack sequences, making them even more formidable.
Onyx Sleet’s Strategy
Onyx Sleet takes a different approach. After exploiting the JetBrains TeamCity patch, this threat actor creates a new user account named “krtbgt.” This account is likely intended to impersonate the Kerberos Ticket Granting Ticket. To make matters worse, the threat actor adds this account to the Local Administrators Group using the “net use” command.
Once this is done, the threat actor runs system discovery commands on the compromised systems. This leads to the deployment of a custom proxy tool called “HazyLoad.” This tool establishes a persistent connection between the compromised server and the attacker’s infrastructure.
Another concerning post-compromise action is the use of the attacker-controlled “krtbgt” account to log in via remote desktop protocol (RDP) and terminate the TeamCity service. This is done to prevent access by other threat actors, emphasizing the advanced and aggressive nature of these attacks.
The Lazarus Group’s Notorious History
Over the years, the Lazarus Group has gained notoriety as one of the most pernicious and sophisticated advanced persistent threat (APT) groups globally. They have orchestrated a wide range of attacks, including financial crimes and espionage. These attacks encompass cryptocurrency heists and supply chain breaches, with the stolen funds often used to finance their missile program and other activities.
U.S. Deputy National Security Advisor Anne Neuberger highlighted the group’s involvement in hacking cryptocurrency infrastructure worldwide, further underscoring the financial motive behind their actions.
AhnLab Security Emergency Response Center (ASEC) has also detailed the Lazarus Group’s use of malware families such as Volgmer and Scout to serve as backdoors for controlling infected systems. The Lazarus Group employs various attack vectors, including spear-phishing and supply chain attacks. These tactics have been associated with another campaign codenamed “Operation Dream Magic,” which involves watering hole attacks to exploit security flaws in products like INISAFE and MagicLine.
Securing JetBrains TeamCity
Now, let’s focus on what you can do to protect your servers from these hackers exploiting TeamCity vulnerabilities. Microsoft has provided a set of recommended mitigation actions:
- Apply JetBrains Updates: Ensure you apply the updates or mitigations released by JetBrains to address the CVE-2023-42793 vulnerability. Keeping your software up-to-date is a fundamental step in reducing the risk of exploitation.
- Attack Surface Reduction Rule: Activate the “Block executable files from running unless they meet a prevalence, age, or trusted list criterion” rule to further enhance your server’s security.
- Investigate Indicators of Compromise (IoC): Use the provided indicators of compromise to investigate whether they exist in your environment. This step can help you assess potential intrusion and take corrective actions.
- Block Inbound Traffic: Consider blocking inbound traffic from IP addresses specified in the IoC table. This proactive measure can help prevent unauthorized access to your servers.
- Safe DLL Search Mode: Ensure that “Safe DLL Search Mode” is set. This helps in preventing DLL-related vulnerabilities.
- Immediate Action: If you suspect malicious activity on your server, take immediate action. Isolate the compromised system and reset credentials and tokens. This is crucial in regaining control and minimizing potential damage.
- Use Microsoft Defender Antivirus: Enable Microsoft Defender Antivirus with cloud-delivered protection and automatic sample submission. These advanced features use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
- Investigate for Lateral Movement: Examine the device timeline for signs of lateral movement activities using compromised accounts. Look for additional tools that attackers may have left behind to enable further unauthorized access.
The threat posed by North Korean hackers exploiting the TeamCity security issue is serious and requires immediate attention. By understanding the attack methods, implementing the recommended mitigation actions, and adopting robust cybersecurity measures, you can significantly reduce the risk to your servers. Cybersecurity is an ongoing battle, and staying vigilant and prepared is the key to protecting your valuable assets from cyber threats.