Russian SVR-Linked Threat Actors Exploit Unpatched JetBrains TeamCity Servers in Widespread Attacks

In recent months, widespread attacks targeting unpatched JetBrains TeamCity servers have been observed, with threat actors affiliated with the Russian Foreign Intelligence Service (SVR) identified as the perpetrators. These cyber intrusions, which have been ongoing since September 2023, highlight the increasing sophistication and adaptability of Russian cyber and influence operators throughout the war in Ukraine.

Exploiting CVE-2023-42793

One of the key vulnerabilities exploited by the SVR-linked threat actors is CVE-2023-42793, a critical security flaw with a CVSS score of 9.8. This vulnerability enables unauthenticated attackers to achieve remote code execution on affected systems. By leveraging this vulnerability, the attackers are able to gain initial access to the compromised TeamCity servers and initiate their malicious operations.

Actions taken by the SVR

Once the threat actors gain initial access through the TeamCity CVE, they proceed to escalate their privileges, move laterally within the compromised network environments, and deploy additional backdoors. These steps are taken to ensure long-term and persistent access to the compromised systems, allowing the attackers to carry out their malicious activities undetected.

Tactics used by the threat actors

Following a successful initial access, the threat actors proceed with various tactics to maximize their impact. This includes conducting extensive reconnaissance to gather valuable information about the compromised network, escalating privileges to gain further control over the system, moving laterally within the network to access additional resources, and exfiltrating sensitive data. To evade detection, the threat actors employ an open-source tool called EDRSandBlast, which helps them remain undetected by security measures.

Graphical Proton (VaporRage) and Command-and-Control (C2) communication channels

The threat actors leverage malware called GraphicalProton, also known as VaporRage, as part of their attack strategy. One unique aspect of this malware is its use of OneDrive as a primary command-and-control (C2) communication channel. By utilizing cloud storage services such as OneDrive, the attackers can maintain communication with the compromised systems, allowing them to send commands and receive data without raising suspicion. In cases where OneDrive is inaccessible, the threat actors have also employed Dropbox as a fallback mechanism for C2 communication.

Scope and impact of the attacks

The attacks have had a significant global impact, with as many as 100 devices across the United States, Europe, Asia, and Australia being compromised. While the attacks are suspected to be opportunistic in nature, the widespread nature suggests a calculated and coordinated effort by the threat actors to maximize the potential impact of their actions.

Attribution of the attacks

The intrusions have been attributed to two nation-state groups known as Aqua Blizzard (formerly Actinium) and Seashell Blizzard (formerly Iridium). These groups are affiliated with the Russian SVR and have been actively involved in carrying out cyber espionage operations targeting various sectors and organizations.

Additional tactics used by Seashell Blizzard

In addition to the TeamCity CVE exploitation, Seashell Blizzard has been observed taking advantage of pirated Microsoft Office software as a means to distribute the DarkCrystalRAT (aka DCRat) backdoor. By leveraging the popularity of pirated software, the threat actors gain initial access to compromised systems, enabling them to conduct further malicious activities and establish control over the network.

Microsoft’s detection of the pro-Russia influence actor

Microsoft has also identified a Russia-affiliated influence actor named Storm-1099, also known as Doppelganger. This actor has been carrying out sophisticated pro-Russia influence operations targeting international supporters of Ukraine since the spring of 2022. Through social media manipulation, disinformation campaigns, and other tactics, Storm-1099 aims to shape narratives and sway public opinion in favor of Russia’s interests.

The widespread attacks on unpatched JetBrains TeamCity servers by SVR-linked threat actors highlight the growing sophistication of Russian cyber and influence operations. The exploitation of vulnerabilities, the use of advanced malware, and the strategic targeting of global networks demonstrate the adaptability and persistence of these threat actors. As organizations and individuals face heightened cybersecurity risks, it becomes crucial to prioritize patching vulnerabilities, implementing strong security measures, and remaining vigilant against the evolving tactics of malicious actors.

Explore more

GNOME Extensions Significantly Reduce Linux Battery Life

The long-standing assumption that Linux distributions naturally outperform Windows in power management often crumbles when subjected to rigorous real-world battery testing on modern mobile hardware. While the core Linux kernel remains an engineering marvel of efficiency, the modern software landscape has introduced layers of complexity that frequently negate these inherent advantages. Desktop environments, which serve as the primary interface for

How to Install the macOS 27 Golden Gate Public Beta

The evolution of the Mac operating system reaches a pivotal moment with the release of the macOS 27 Golden Gate Public Beta, offering a glimpse into the next generation of computing. For enthusiasts and early adopters, this release represents more than just a seasonal update; it serves as a foundation for a new era of interaction between humans and hardware.

Is UiPath Stock a Genuine Bargain or a Value Trap?

The rapid evolution of robotic process automation into the sophisticated realm of agentic artificial intelligence has left many investors questioning whether pioneers like UiPath still hold a competitive edge in an increasingly crowded software market. While the company once dominated the landscape by automating repetitive tasks, the current technological shift demands a much deeper integration of cognitive capabilities that can

How Does the ClaudeFix Campaign Exploit Trust in AI?

As artificial intelligence platforms become central to daily productivity, threat actors have shifted their focus toward subverting the inherent credibility of these tools to facilitate sophisticated social engineering schemes. The emergence of the ClaudeFix campaign demonstrates an alarming evolution in cybercrime, where attackers no longer rely solely on poorly designed spoofed websites but instead leverage the legitimate infrastructure of major

Ransomware Costs Rise as Tactics Shift to Identity Theft

The digital extortion landscape has undergone a radical transformation as traditional file encryption loses its efficacy against organizations that have finally mastered the art of robust, offline backup solutions. While the initial ransomware wave relied on locking down systems to demand a fee, modern threat actors like LockBit and BlackCat have pivoted toward a more insidious strategy: stealing the very