A joint cybersecurity advisory has been released by the FBI, CISA, NSA, SKW, CERT.PL, and NCSC-UK which covers the Russian Foreign Intelligence Service (SVR) actively exploiting a vulnerability in the TeamCity software collaboration tool.
The advisory which was released on Wednesday (13th) details the activities conducted by the SVR – (tracked as APT29, The Dukes, CozyBear, and Nobelium/Midnight Blizzard) in their exploitation of the vulnerability (CVE-2023-42793).
What is TeamCity?
TeamCity is the name of a Continuous Integration DevOPs software development platform produced by a company called JetBrains, which allows software development teams to manage and automate software compilation, building, testing, and releasing.
Tens of Thousands of DevOps teams use TeamCity which means that this vulnerability has the potential to impact on many companies, and their customers.
The vulnerability
CVE-2023-42793 enables the insecure handling of specific paths allowing for the bypassing of authorization processes, resulting in arbitrary code execution on the server.
If compromised, access to a TeamCity server would provide malicious actors with access to that software developer’s source code, signing certificates, and the ability to subvert software compilation and deployment processes—access a malicious actor could further use to conduct supply chain operations
The vulnerability affects all versions of TeamCity from v2.0 through to v2023.05.03, and has been given a CVSS score of 9.8 – Critical. The vulnerability was initially discovered by researchers at SonarSource back in September.
TeamCity uses request interceptors in order to perform specific actions for every HTTP request. One of these actions implemented via a request interceptor is the authorization mechanism.
The class responsible for applying this and other interceptors is called RequestInterceptors. When a request is received, the preHandle method of this class is invoked, which determines if the request is suitable for pre-handling by calling:
requestPreHandlingAllowed:jetbrains.buildServer.controllers.interceptors.RequestInterceptors
Amongst other things, this method checks if the requested path matches a predefined list of path expressions (myPreHandlingDisabled). For matching paths, no pre-handling should be applied
In the constructor of RequestInterceptors, two path expressions are added, which should be excluded from any pre-handling processing:
The first path expression starts with the static string "/**", followed by the return value of XmlRpcController.getPathSuffix(), which returns the static string "/RPC2":
Thus, the resulting path expression is "/**/RPC2". For requests to a path matching this expression, no pre-handling interceptors are applied. This also means that for these requests, no authorization check is performed.
This is particularly dangerous because this expression allows arbitrary prefixes in the requested path due to the two asterisks ("/**/"). This effectively disables the authorization check for every request to a path ending with /RPC2, thus allowing a malicious actor to execute arbitrary commands on the TeamCity platform.
APT29
APT29 is threat group that has been attributed to Russia’s Foreign Intelligence Service (SVR). They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks.
Attributed attacks
2014
A Washington, D.C.-based private research institute was found to have CozyDuke (Trojan.Cozer) on their network. Cozy Bear then started an email campaign attempting to lure victims into clicking on a flash video of office monkeys that would also include malicious executables. By July the group had compromised government networks and directed CozyDuke-infected systems to install Miniduke onto a compromised network.
Digital agents of the Dutch General Intelligence and Security Service infiltrated Cozy Bear. They found that these Russian hackers were targeting the US Democratic Party, State Department and White House. Their evidence influenced the FBI’s decision to open an investigation into the group.
2015
APT29 was linked to a spear-phishing cyber-attack against the Pentagon email system, causing the shut down of the entire Joint Staff unclassified email system and Internet access during the investigation
2016
Cozy Bear (APT29) was implicated alongside the hacker group Fancy Bear (APT28) in the Democratic National Committee cyber attacks. While the two groups were both present in the Democratic National Committee’s servers at the same time, they appeared to be unaware of the other, each independently stealing the same passwords and otherwise duplicating their efforts. A CrowdStrike forensic team determined that while Cozy Bear had been on the DNC’s network for over a year, Fancy Bear had only been there a few weeks. Cozy Bear’s more sophisticated tradecraft and interest in traditional long-term espionage suggested that the group originates from a separate Russian intelligence agency.
After the 2016 United States presidential election, APT29 was linked to a series of coordinated and well-planned spear phishing campaigns against U.S.-based think tanks and non-governmental organizations (NGOs).
2017
The Norwegian Police Security Service (PST) reported that attempts had been made to spearphish the email accounts of nine individuals in the Ministry of Defence, Ministry of Foreign Affairs, and the Labour Party. The acts were attributed to APT29, whose targets included the Norwegian Radiation Protection Authority, PST section chief Arne Christian Haugstøyl, and an unnamed colleague. Prime Minister Erna Solberg called the acts “a serious attack on our democratic institutions”.
APT29 and APT28 made several attempts to hack into Dutch ministries, including the Ministry of General Affairs
2019
Suspicions that APT29 had ceased operations were dispelled in 2019 by the discovery of three new malware families attributed to the group: PolyglotDuke, RegDuke and FatDuke. This shows that APT29 did not cease operations, but rather had developed new tools that were harder to detect. Target compromises using these newly uncovered packages are collectively referred to as Operation Ghost
2020
APT29 was accused by the NSA, NCSC and the CSE of trying to steal data on vaccines and treatments for COVID-19 being developed in the UK, US, and Canada
December 2020, U.S. cybersecurity firm FireEye disclosed that a collection of their proprietary cybersecurity research tools had been stolen, possibly by “a nation with top-tier offensive capabilities.” On 13 December 2020, FireEye announced that investigations into the circumstances of that intellectual property theft revealed “a global intrusion campaign … [utilizing a] supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware we call SUNBURST”
Shortly thereafter, SolarWinds confirmed that multiple versions of their Orion platform products had been compromised, probably by a foreign nation state. The impact of the attack prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue a rare emergency directive. Approximately 18,000 SolarWinds clients were exposed to SUNBURST, including several U.S. federal agencies.
2021
APT29 breached systems of the Republican National Committee.
2022
Microsoft revealed an unnamed customer was compromised by an APT29 attack that had very high resilience on an Active Directory Federated Services server and dubbed this attack method “MagicWeb”, an attack which “manipulates the user authentication certificates used for authentication”
TeamCity attacks
The SVR started to exploit Internet-connected JetBrains TeamCity servers in late September
2023 using CVE-2023-42793. Observations show that the TeamCity exploitation usually resulted in code execution with high privileges granting the SVR an advantageous foothold in the network environment.
Once access has been acquired, the threat actor conducts various reconnaissance activities using common operating system commands, such as whoami, tasklist, netstat, etc.
To facilitate privilege escalation, APT29 use multiple techniques, including WinPEAS, NoLMHash registry key modification, and the Mimikatz tool.
After discovering what access the group have, they conduct a number of data exfiltration activities from both the underlying operating system, and the SQL database used by TeamCity.
To avoid detection, the threat actors use a “Bring Your Own Vulnerable Driver” technique to disable
or outright kill endpoint detection and response (EDR) and antivirus (AV) software.
This was done using an open source project called “EDRSandBlast.” TAPT29 have been observed using EDRSandBlast to remove protected process light (PPL) protection, which is used for controlling and protecting running processes and protecting them from infection. The threat actors then inject code into AV/EDR processes for a small subset of victims.
Additionally, executables that are likely to be detected (i.e. Mimikatz) were executed in memory.
To further avoid detection by network monitoring, the SVR have devised a covert C2 channel that uses Microsoft OneDrive and Dropbox cloud services. To further enable obfuscation, data exchanged via OneDrive and Dropbox were hidden inside randomly generated BMP files.
