CVE-2023-42793 Detection: Large-Scale Exploitation of the JetBrains TeamCity Vulnerability by the russian Foreign Intelligence Service

FBI and CISA, in conjunction with U.S. and international cybersecurity authorities, warn the global cyber defender community about large-scale exploitation of CVE-2023-42793, a critical JetBrains TeamCity CVE potentially leading to RCE on the vulnerable instances. The related cybersecurity alert AA23-347A attributes the ongoing cyber-offensive operations to the russian Foreign Intelligence Service (SVR) represented by the nefarious APT29 hacking collective.

Detecting CVE-2023-42793 Exploits

With the world standing on the brink of a global cyber war, cyber defenders are looking for ways to withstand the escalating amount of threats by joining forces and staying proactive. Equipped with SOC Prime’s Platform for collective cyber defense, security practitioners can always obtain curated content for emerging threats, enriched with extensive metadata. 

To stay on top of SVR-related attacks leveraging CVE-2023-42793 vulnerability in JetBrains TeamCity software, SOC Prime Platform offers a set of 18 detection rules compatible with your SIEM, EDR, XDR, or Data Lake solution in use. All rules are mapped to MITRE ATT&CK framework and enriched with detailed metadata, including CTI links, media references, triage recommendations, etc. Just press the Explore Detection buttons below and drill down to a curated detection stack.

Explore Detections

To streamline threat investigation and boost detection engineering operations, security experts can leverage Uncoder AI. Just paste the forensics data from the corresponding alert, hit the Translate button, and obtain custom search queries ready to run in a chosen security solution.

Eager to join the ranks of cyber defenders contributing to a safer tomorrow? Register to SOC Prime Threat Bounty program, submit your own detection rules, code your future CV, network with industry experts, and receive recurring payouts for your contribution.

CVE-2023-42793 Analysis: JetBrains TeamCity Vulnerability Exploitation Covered in the Cybersecurity Advisory

The large-scale cyber attacks launched by russian state-sponsored hacking collectives are increasing in volume and sophistication as part of сollective offensive activities against Ukraine and its allies. On December 13, 2023, FBA, CISA, and NSA, in collaboration with U.S. and international partners, issued a novel cybersecurity alert covering the ongoing attacks weaponizing a critical vulnerability in JetBrains TeamCity servers tracked as CVE-2023-42793. The uncovered security flaw is an authentication bypass vulnerability with the CVSS score reaching 9.8. And affecting software versions before 2023.05.4. In the ongoing campaign, CISA and partners have detected several compromised companies across the U.S., Europe, Asia, and Australia, with over 100 compromised TeamCity servers.

The infamous APT29 group, also known as the Dukes (aka Cozy Bear, NOBELIUM, or Midnight Blizzard), which is a covert hacking division associated with the russia’s SVR and operating in alignment with Moscow’s geopolitical objectives, is linked to the ongoing offensive campaign targeting servers that host JetBrains TeamCity software since September 2023.

Since at least 2013, SVR cyber operations have been exposing global organizations to severe threats aimed at stealing confidential data and proprietary information, as well as collecting foreign intelligence. Tech companies are also among the common targets of the aggressor’s offensive campaigns.

In the latest attacks against networks hosting TeamCity servers, the SVR again sets eyes on the tech sector. By exploiting CVE-2023-42793, the SVR could gain access to victims through compromised networks, especially those of software developers. JetBrains released a patch for this security flaw in mid-September 2023, restricting the SVR’s operation to the exploitation of only unpatched, Internet-facing TeamCity servers. According to the latest alert, SVR has not yet taken advantage of its access to software developers for network compromise and is still likely in the attack preparatory phase. 

The successful exploitation of CVE-2023-42793 results in the authorization bypassing and subsequent arbitrary code execution on the vulnerable server. Threat actors have also been observed performing host reconnaissance and file exfiltration, as well as leveraging scheduled tasks to ensure persistence and applying a set of techniques to evade detection. Following the establishment of a secure foothold and investigating an impacted TeamCity server, adversaries focused on network reconnaissance by leveraging a combination of built-in commands and supplementary tools, like a port scanner and PowerSploit. Over the course of the observed campaign, hackers employed a set of custom and open-source offensive utilities and backdoors, including GraphicalProton and its HTTPS variant.

As potential CVE-2023-42793 mitigation measures, JetBrains TeamCity customers are recommended to update their servers to the software version 2023.05.4. Alternatively, a security patch plugin can be leveraged as a workaround for those users who have trouble promptly updating the server. 

The rise in cyber attacks linked to state-sponsored hacking groups, such as extensive campaigns led by russian offensive units, underscores the urgency of bolstering cybersecurity defenses. Explore Threat Detection Marketplace and obtain the curated list of SOC content to detect APT attacks of any scale and sophistication.