AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

North Korean attacks exploit flaw in JetBrains TeamCity

Details of Lazarus Group attacks on JetBrains TeamCity vulnerabilities

Microsoft reported North Korean attacks on JetBrains TeamCity, exploiting a serious security flaw. The attacks aim to compromise servers and use various techniques, including Trojans and custom proxies. Microsoft attributed the attacks to known groups linked to the North Korean government.

This pill is also available in Italian language

North Korean threat actors are actively exploiting a severe security vulnerability in JetBrains TeamCity to opportunistically breach vulnerable servers, Microsoft reports. The attacks, which involve the exploitation of CVE-2023-42793 (CVSS score: 9.8), were attributed to Diamond Sleet (aka Labyrinth Chollima) and Onyx Sleet (aka Andariel or Silent Chollima). Both threat activity clusters are part of the well-known North Korean state group Lazarus Group.

Attack methods used

In one of the two attack paths used by Diamond Sleet, a successful compromise of TeamCity servers is made followed by the deployment of an implant known as ForestTiger from legitimate infrastructure previously compromised by the threat actor. A second variant of the attacks exploits the initial base to retrieve a malicious DLL (DSROLE.dll aka RollSling or Version.dll or FeedLoad) which is loaded via a technique called DLL search order hijacking to execute a later stage payload or a remote access trojan (RAT). Microsoft said it has observed the adversary using a combination of tools and techniques from both attack sequences in some cases.

Onyx Sleet attacks and subsequent actions

The intruders mounted by Onyx Sleet, however, use the access gained by exploiting the JetBrains TeamCity bug to create a new user account called krtbgt, presumably with the intent of impersonating the Kerberos Ticket Granting Ticket. “After creating the account, the threat actor adds it to the Local Administrators group via net use,” Microsoft said. “The threat actor also executes several system discovery commands on the compromised systems.” The attacks subsequently lead to the implementation of a custom proxy tool called HazyLoad that helps establish a persistent connection between the compromised host and an infrastructure controlled by the attacker. Another significant action following the compromise is to use the krtbgt account controlled by the attacker to access the compromised device via Remote Desktop Protocol (RDP) and disrupt the TeamCity service in an attempt to prevent access by others threatening actors.

Follow us on Google News for more pills like this

10/19/2023 08:50

Editorial AI

Last pills

Cyber attack in Indonesia: the new Brain Cipher ransomware brings services to their kneesNew ransomware hits Indonesia: learn how Brain Cipher crippled essential services and the techniques used by hackers

Patelco Credit Union: security incident halts customer services in CaliforniaService disruption and customer frustration: Patelco Credit Union works to resolve security incident

Cyber attack on TeamViewer: immediate response and investigations underwayStrengthened security measures and international collaborations to counter the cyber threat

Polyfill JS supply chain attack: what happenedA detailed analysis of the cyber attack that compromised a library essential for JavaScript compatibility in browsers