Russian SVR-Linked Threat Actors Exploit Unpatched JetBrains TeamCity Servers in Widespread Attacks

In recent months, widespread attacks targeting unpatched JetBrains TeamCity servers have been observed, with threat actors affiliated with the Russian Foreign Intelligence Service (SVR) identified as the perpetrators. These cyber intrusions, which have been ongoing since September 2023, highlight the increasing sophistication and adaptability of Russian cyber and influence operators throughout the war in Ukraine.

Exploiting CVE-2023-42793

One of the key vulnerabilities exploited by the SVR-linked threat actors is CVE-2023-42793, a critical security flaw with a CVSS score of 9.8. This vulnerability enables unauthenticated attackers to achieve remote code execution on affected systems. By leveraging this vulnerability, the attackers are able to gain initial access to the compromised TeamCity servers and initiate their malicious operations.

Actions taken by the SVR

Once the threat actors gain initial access through the TeamCity CVE, they proceed to escalate their privileges, move laterally within the compromised network environments, and deploy additional backdoors. These steps are taken to ensure long-term and persistent access to the compromised systems, allowing the attackers to carry out their malicious activities undetected.

Tactics used by the threat actors

Following a successful initial access, the threat actors proceed with various tactics to maximize their impact. This includes conducting extensive reconnaissance to gather valuable information about the compromised network, escalating privileges to gain further control over the system, moving laterally within the network to access additional resources, and exfiltrating sensitive data. To evade detection, the threat actors employ an open-source tool called EDRSandBlast, which helps them remain undetected by security measures.

Graphical Proton (VaporRage) and Command-and-Control (C2) communication channels

The threat actors leverage malware called GraphicalProton, also known as VaporRage, as part of their attack strategy. One unique aspect of this malware is its use of OneDrive as a primary command-and-control (C2) communication channel. By utilizing cloud storage services such as OneDrive, the attackers can maintain communication with the compromised systems, allowing them to send commands and receive data without raising suspicion. In cases where OneDrive is inaccessible, the threat actors have also employed Dropbox as a fallback mechanism for C2 communication.

Scope and impact of the attacks

The attacks have had a significant global impact, with as many as 100 devices across the United States, Europe, Asia, and Australia being compromised. While the attacks are suspected to be opportunistic in nature, the widespread nature suggests a calculated and coordinated effort by the threat actors to maximize the potential impact of their actions.

Attribution of the attacks

The intrusions have been attributed to two nation-state groups known as Aqua Blizzard (formerly Actinium) and Seashell Blizzard (formerly Iridium). These groups are affiliated with the Russian SVR and have been actively involved in carrying out cyber espionage operations targeting various sectors and organizations.

Additional tactics used by Seashell Blizzard

In addition to the TeamCity CVE exploitation, Seashell Blizzard has been observed taking advantage of pirated Microsoft Office software as a means to distribute the DarkCrystalRAT (aka DCRat) backdoor. By leveraging the popularity of pirated software, the threat actors gain initial access to compromised systems, enabling them to conduct further malicious activities and establish control over the network.

Microsoft’s detection of the pro-Russia influence actor

Microsoft has also identified a Russia-affiliated influence actor named Storm-1099, also known as Doppelganger. This actor has been carrying out sophisticated pro-Russia influence operations targeting international supporters of Ukraine since the spring of 2022. Through social media manipulation, disinformation campaigns, and other tactics, Storm-1099 aims to shape narratives and sway public opinion in favor of Russia’s interests.

The widespread attacks on unpatched JetBrains TeamCity servers by SVR-linked threat actors highlight the growing sophistication of Russian cyber and influence operations. The exploitation of vulnerabilities, the use of advanced malware, and the strategic targeting of global networks demonstrate the adaptability and persistence of these threat actors. As organizations and individuals face heightened cybersecurity risks, it becomes crucial to prioritize patching vulnerabilities, implementing strong security measures, and remaining vigilant against the evolving tactics of malicious actors.

Explore more

Why is LinkedIn the Go-To for B2B Advertising Success?

In an era where digital advertising is fiercely competitive, LinkedIn emerges as a leading platform for B2B marketing success due to its expansive user base and unparalleled targeting capabilities. With over a billion users, LinkedIn provides marketers with a unique avenue to reach decision-makers and generate high-quality leads. The platform allows for strategic communication with key industry figures, a crucial

Endpoint Threat Protection Market Set for Strong Growth by 2034

As cyber threats proliferate at an unprecedented pace, the Endpoint Threat Protection market emerges as a pivotal component in the global cybersecurity fortress. By the close of 2034, experts forecast a monumental rise in the market’s valuation to approximately US$ 38 billion, up from an estimated US$ 17.42 billion. This analysis illuminates the underlying forces propelling this growth, evaluates economic

How Will ICP’s Solana Integration Transform DeFi and Web3?

The collaboration between the Internet Computer Protocol (ICP) and Solana is poised to redefine the landscape of decentralized finance (DeFi) and Web3. Announced by the DFINITY Foundation, this integration marks a pivotal step in advancing cross-chain interoperability. It follows the footsteps of previous successful integrations with Bitcoin and Ethereum, setting new standards in transactional speed, security, and user experience. Through

Embedded Finance Ecosystem – A Review

In the dynamic landscape of fintech, a remarkable shift is underway. Embedded finance is taking the stage as a transformative force, marking a significant departure from traditional financial paradigms. This evolution allows financial services such as payments, credit, and insurance to seamlessly integrate into non-financial platforms, unlocking new avenues for service delivery and consumer interaction. This review delves into the

Certificial Launches Innovative Vendor Management Program

In an era where real-time data is paramount, Certificial has unveiled its groundbreaking Vendor Management Partner Program. This initiative seeks to transform the cumbersome and often error-prone process of insurance data sharing and verification. As a leader in the Certificate of Insurance (COI) arena, Certificial’s Smart COI Network™ has become a pivotal tool for industries relying on timely insurance verification.