AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

North Korean attacks exploit flaw in JetBrains TeamCity

Details of Lazarus Group attacks on JetBrains TeamCity vulnerabilities

Microsoft reported North Korean attacks on JetBrains TeamCity, exploiting a serious security flaw. The attacks aim to compromise servers and use various techniques, including Trojans and custom proxies. Microsoft attributed the attacks to known groups linked to the North Korean government.

This pill is also available in Italian language

North Korean threat actors are actively exploiting a severe security vulnerability in JetBrains TeamCity to opportunistically breach vulnerable servers, Microsoft reports. The attacks, which involve the exploitation of CVE-2023-42793 (CVSS score: 9.8), were attributed to Diamond Sleet (aka Labyrinth Chollima) and Onyx Sleet (aka Andariel or Silent Chollima). Both threat activity clusters are part of the well-known North Korean state group Lazarus Group.

Attack methods used

In one of the two attack paths used by Diamond Sleet, a successful compromise of TeamCity servers is made followed by the deployment of an implant known as ForestTiger from legitimate infrastructure previously compromised by the threat actor. A second variant of the attacks exploits the initial base to retrieve a malicious DLL (DSROLE.dll aka RollSling or Version.dll or FeedLoad) which is loaded via a technique called DLL search order hijacking to execute a later stage payload or a remote access trojan (RAT). Microsoft said it has observed the adversary using a combination of tools and techniques from both attack sequences in some cases.

Onyx Sleet attacks and subsequent actions

The intruders mounted by Onyx Sleet, however, use the access gained by exploiting the JetBrains TeamCity bug to create a new user account called krtbgt, presumably with the intent of impersonating the Kerberos Ticket Granting Ticket. “After creating the account, the threat actor adds it to the Local Administrators group via net use,” Microsoft said. “The threat actor also executes several system discovery commands on the compromised systems.” The attacks subsequently lead to the implementation of a custom proxy tool called HazyLoad that helps establish a persistent connection between the compromised host and an infrastructure controlled by the attacker. Another significant action following the compromise is to use the krtbgt account controlled by the attacker to access the compromised device via Remote Desktop Protocol (RDP) and disrupt the TeamCity service in an attempt to prevent access by others threatening actors.

Follow us on WhatsApp for more pills like this

10/19/2023 08:50

Marco Verro

Last pills

Italy's success in cybersecurityHow Italy achieved excellence in global cybersecurity: strategies, collaborations, and international successes

IntelBroker alleged breach of Deloitte systemsServer exposed: how Deloitte's security may have been compromised by a cyber attack

Vo1d infections on Android TV boxes: how to protect your devicesLearn the essential measures to protect your Android TV boxes from the dreaded Vo1d malware and keep your devices safe from cyber threats

Hacker attack in Lebanon: Hezbollah under fireTechnological shock and injuries: cyber warfare hits Hezbollah in Lebanon