AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

North Korean attacks exploit flaw in JetBrains TeamCity

Details of Lazarus Group attacks on JetBrains TeamCity vulnerabilities

Microsoft reported North Korean attacks on JetBrains TeamCity, exploiting a serious security flaw. The attacks aim to compromise servers and use various techniques, including Trojans and custom proxies. Microsoft attributed the attacks to known groups linked to the North Korean government.

This pill is also available in Italian language

North Korean threat actors are actively exploiting a severe security vulnerability in JetBrains TeamCity to opportunistically breach vulnerable servers, Microsoft reports. The attacks, which involve the exploitation of CVE-2023-42793 (CVSS score: 9.8), were attributed to Diamond Sleet (aka Labyrinth Chollima) and Onyx Sleet (aka Andariel or Silent Chollima). Both threat activity clusters are part of the well-known North Korean state group Lazarus Group.

Attack methods used

In one of the two attack paths used by Diamond Sleet, a successful compromise of TeamCity servers is made followed by the deployment of an implant known as ForestTiger from legitimate infrastructure previously compromised by the threat actor. A second variant of the attacks exploits the initial base to retrieve a malicious DLL (DSROLE.dll aka RollSling or Version.dll or FeedLoad) which is loaded via a technique called DLL search order hijacking to execute a later stage payload or a remote access trojan (RAT). Microsoft said it has observed the adversary using a combination of tools and techniques from both attack sequences in some cases.

Onyx Sleet attacks and subsequent actions

The intruders mounted by Onyx Sleet, however, use the access gained by exploiting the JetBrains TeamCity bug to create a new user account called krtbgt, presumably with the intent of impersonating the Kerberos Ticket Granting Ticket. “After creating the account, the threat actor adds it to the Local Administrators group via net use,” Microsoft said. “The threat actor also executes several system discovery commands on the compromised systems.” The attacks subsequently lead to the implementation of a custom proxy tool called HazyLoad that helps establish a persistent connection between the compromised host and an infrastructure controlled by the attacker. Another significant action following the compromise is to use the krtbgt account controlled by the attacker to access the compromised device via Remote Desktop Protocol (RDP) and disrupt the TeamCity service in an attempt to prevent access by others threatening actors.

Follow us on Instagram for more pills like this

10/19/2023 08:50

Marco Verro

Last pills

Hacker attack in Lebanon: Hezbollah under fireTechnological shock and injuries: cyber warfare hits Hezbollah in Lebanon

Data breach: Fortinet faces new hack, 440GB of stolen informationFortinet under attack: hackers breach security and make information public. discover the details and the consequences for the privacy of involved users

Shocking cyber espionage discoveries: nation-state threatsHow state-of-state cyberwarfare is changing the game in the tech industry: Details and analysis of recent attacks

A new era for Flipper Zero with firmware 1.0Discover the revolutionary features of Flipper Zero firmware 1.0: performance improvements, JavaScript, and enhanced connectivity