In recent months, widespread attacks targeting unpatched JetBrains TeamCity servers have been observed, with threat actors affiliated with the Russian Foreign Intelligence Service (SVR) identified as the perpetrators. These cyber intrusions, which have been ongoing since September 2023, highlight the increasing sophistication and adaptability of Russian cyber and influence operators throughout the war in Ukraine.
Exploiting CVE-2023-42793
One of the key vulnerabilities exploited by the SVR-linked threat actors is CVE-2023-42793, a critical security flaw with a CVSS score of 9.8. This vulnerability enables unauthenticated attackers to achieve remote code execution on affected systems. By leveraging this vulnerability, the attackers are able to gain initial access to the compromised TeamCity servers and initiate their malicious operations.
Actions taken by the SVR
Once the threat actors gain initial access through the TeamCity CVE, they proceed to escalate their privileges, move laterally within the compromised network environments, and deploy additional backdoors. These steps are taken to ensure long-term and persistent access to the compromised systems, allowing the attackers to carry out their malicious activities undetected.
Tactics used by the threat actors
Following a successful initial access, the threat actors proceed with various tactics to maximize their impact. This includes conducting extensive reconnaissance to gather valuable information about the compromised network, escalating privileges to gain further control over the system, moving laterally within the network to access additional resources, and exfiltrating sensitive data. To evade detection, the threat actors employ an open-source tool called EDRSandBlast, which helps them remain undetected by security measures.
Graphical Proton (VaporRage) and Command-and-Control (C2) communication channels
The threat actors leverage malware called GraphicalProton, also known as VaporRage, as part of their attack strategy. One unique aspect of this malware is its use of OneDrive as a primary command-and-control (C2) communication channel. By utilizing cloud storage services such as OneDrive, the attackers can maintain communication with the compromised systems, allowing them to send commands and receive data without raising suspicion. In cases where OneDrive is inaccessible, the threat actors have also employed Dropbox as a fallback mechanism for C2 communication.
Scope and impact of the attacks
The attacks have had a significant global impact, with as many as 100 devices across the United States, Europe, Asia, and Australia being compromised. While the attacks are suspected to be opportunistic in nature, the widespread nature suggests a calculated and coordinated effort by the threat actors to maximize the potential impact of their actions.
Attribution of the attacks
The intrusions have been attributed to two nation-state groups known as Aqua Blizzard (formerly Actinium) and Seashell Blizzard (formerly Iridium). These groups are affiliated with the Russian SVR and have been actively involved in carrying out cyber espionage operations targeting various sectors and organizations.
Additional tactics used by Seashell Blizzard
In addition to the TeamCity CVE exploitation, Seashell Blizzard has been observed taking advantage of pirated Microsoft Office software as a means to distribute the DarkCrystalRAT (aka DCRat) backdoor. By leveraging the popularity of pirated software, the threat actors gain initial access to compromised systems, enabling them to conduct further malicious activities and establish control over the network.
Microsoft’s detection of the pro-Russia influence actor
Microsoft has also identified a Russia-affiliated influence actor named Storm-1099, also known as Doppelganger. This actor has been carrying out sophisticated pro-Russia influence operations targeting international supporters of Ukraine since the spring of 2022. Through social media manipulation, disinformation campaigns, and other tactics, Storm-1099 aims to shape narratives and sway public opinion in favor of Russia’s interests.
The widespread attacks on unpatched JetBrains TeamCity servers by SVR-linked threat actors highlight the growing sophistication of Russian cyber and influence operations. The exploitation of vulnerabilities, the use of advanced malware, and the strategic targeting of global networks demonstrate the adaptability and persistence of these threat actors. As organizations and individuals face heightened cybersecurity risks, it becomes crucial to prioritize patching vulnerabilities, implementing strong security measures, and remaining vigilant against the evolving tactics of malicious actors.