North Korean attacks exploit flaw in JetBrains TeamCity
Details of Lazarus Group attacks on JetBrains TeamCity vulnerabilities
Microsoft reported North Korean attacks on JetBrains TeamCity, exploiting a serious security flaw. The attacks aim to compromise servers and use various techniques, including Trojans and custom proxies. Microsoft attributed the attacks to known groups linked to the North Korean government.
North Korean threat actors are actively exploiting a severe security vulnerability in JetBrains TeamCity to opportunistically breach vulnerable servers, Microsoft reports. The attacks, which involve the exploitation of CVE-2023-42793 (CVSS score: 9.8), were attributed to Diamond Sleet (aka Labyrinth Chollima) and Onyx Sleet (aka Andariel or Silent Chollima). Both threat activity clusters are part of the well-known North Korean state group Lazarus Group.
Attack methods used
In one of the two attack paths used by Diamond Sleet, a successful compromise of TeamCity servers is made followed by the deployment of an implant known as ForestTiger from legitimate infrastructure previously compromised by the threat actor. A second variant of the attacks exploits the initial base to retrieve a malicious DLL (DSROLE.dll aka RollSling or Version.dll or FeedLoad) which is loaded via a technique called DLL search order hijacking to execute a later stage payload or a remote access trojan (RAT). Microsoft said it has observed the adversary using a combination of tools and techniques from both attack sequences in some cases.
Onyx Sleet attacks and subsequent actions
The intruders mounted by Onyx Sleet, however, use the access gained by exploiting the JetBrains TeamCity bug to create a new user account called krtbgt, presumably with the intent of impersonating the Kerberos Ticket Granting Ticket. “After creating the account, the threat actor adds it to the Local Administrators group via net use,” Microsoft said. “The threat actor also executes several system discovery commands on the compromised systems.” The attacks subsequently lead to the implementation of a custom proxy tool called HazyLoad that helps establish a persistent connection between the compromised host and an infrastructure controlled by the attacker. Another significant action following the compromise is to use the krtbgt account controlled by the attacker to access the compromised device via Remote Desktop Protocol (RDP) and disrupt the TeamCity service in an attempt to prevent access by others threatening actors.
Follow us on Instagram for more pills like this10/19/2023 08:50
Marco Verro