threat-analysis

Nation-State Actors and Cyber Criminals Exploiting JetBrains’ TeamCity Vulnerability CVE-2023-42793

DeepSeas is aware of reports that Russian nation-state actors, specifically APT29, have been exploiting an authentication bypass vulnerability in JetBrains’ TeamCity servers. Public and bespoke detection logic for the payloads associated with this activity have been deployed.

Background – JetBrains TeamCity Vulnerability CVE-2023-42793

First identified and reported to JetBrains in September 2023, the initial exploitation of CVE-2023-42793 was observed in October 2023 against a biomedical manufacturer based in the United States. According to CISA, the victims include, “[an] energy trade association; companies that provide software for billing, medical devices, customer care, employee monitoring, financial management, marketing, sales, […] video games, tools manufacturers, and small and large IT companies.”[i] DeepSeas has also observed chatter in cybercriminal and dark web forums regarding CVE-2023-42793, along with claims that working exploits are available for rent and/or purchase. Other attempts to exploit CVE-2023-42793, presumably by cyber criminal and financially motivated actors, have been observed in the wild with varying levels of sophistication and success.[ii]

Detection and Mitigation for JetBrains TeamCity Vulnerability CVE-2023-42793

DeepSeas has deployed the following rules to support its MDR customers:

  • TeamCity Java Scheduling Task
  • Suspicious Child Processes of TeamCity Java
  • EDRSandblast Indicators

The following are recommendations for detection opportunities:

  • Review the teamcity-server.log file for any indications of potentially malicious activity between 01 September 2023 and present. If proxied, examine proxy logs for the same.
  • Look for unusual traffic against the /app/rest/users/id:1/tokens/RPC2 endpoint, which is required for exploitation of CVE-2023-42793.

The following are recommendations for mitigation:

  • Ensure that all JetBrains TeamCity servers are fully patched.
  • Ensure that, if unpatched, JetBrains TeamCity servers are not public-facing.
  • If patching is not an option, install the official JetBrains security patch plugin.

Explore DeepSeas MDR+

References

[i] https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a

[ii] https://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793