The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that Russian Foreign Intelligence Services are exploiting a vulnerability in popular CI/CD tool TeamCity.
CISA, together with the FBI and NSA, the UK’s National Cyber Security Centre (NCSC), and Poland’s Military Counterintelligence Service (SKW) and CERT Polska (CERT.PL), have together observed the Russian threat actor exploiting a CVE “at a large scale” since September 2023.
The group says that compromised TeamCity accounts could expose developer source code, signing certificates, and more.
Organizations warned of Russian hackers
CISA says its intention is to get organizations to conduct their own investigations and secure their networks. It’s also hoped that cybersecurity companies will be able to better prepare themselves for these attacks thanks to early warning from some of the world’s leading security bodies.
The group, known by a variety of names, including APT 29, the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard, and active since at least 2013, used similar methods to compromise SolarWinds customers in 2020. In fact, the US government has previously raised alarm bells about the group in other advisories over the years.
In this instance, the group exploits CVE-2023-42793 which results in arbitrary code excuse on the server by enabling the insecure handling of specific paths.
A description of the vulnerability reads: "In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible.”
CISA said that it was not aware of any other initial access vector to JetBrains TeamCity, but that companies across the US, Europe, and other parts of the world have been notified.
Just a few weeks ago, Microsoft said that North Korean hackers with state ties had also been exploiting the same CVE.
JetBrains has already issued a fix, meaning that the now opportunistic attacks rely on users who haven’t yet applied the update, further highlighting the sheer importance of staying on top of security fixes as and when they’re published.
More from TechRadar Pro
- Reckon you’ve downloaded something dodgy? Here’s the best malware removal
- Boost your cybersecurity with the best firewalls and best endpoint protection
- Russia's cyberwarfare tactics show it's in for the long haul, Microsoft says