3rd Party Risk Management , Application Security , Cybercrime

CISA Warns of Russian Hackers Targeting JetBrains Software

Advisory Says Russian Hackers Have Been Exploiting Popular Software Since September
CISA Warns of Russian Hackers Targeting JetBrains Software
Image: Shutterstock

The Cybersecurity and Infrastructure Security Agency is warning that a Russian military intelligence unit is actively exploiting a vulnerability in JetBrains TeamCity, a widely used software product that allows developers to manage and automate software building, testing and releasing.

See Also: How to Build Your Cyber Recovery Playbook

Russian threat actors associated with the Kremlin's foreign intelligence service known as CozyBear, the Dukes and APT29 have been targeting servers hosting JetBrains TeamCity software over the past two months, according to an advisory released Wednesday by the agency along with the FBI, the National Security Agency and multiple international partners.

Threat actors are exploiting a vulnerability known as CVE-2023-42793 "at a large scale," the advisory says, while targeting a wide range of technology companies, foreign governments, academic institutions and more.

If compromised, the advisory warns that "access to a TeamCity server would provide malicious actors with access to that software developer's source code, signing certificates and the ability to subvert software compilation and deployment processes." The advisory also warns that threat actors could manipulate the developer's source code "to conduct supply chain operations."

The Russian hackers used advanced techniques and an open-source application called EDRSandBlast to avoid detection by disabling or outright killing endpoint detection and response and antivirus software. The threat actors also devised covert channels through Microsoft OneDrive and Dropbox cloud services to avoid additional detection by network monitoring, the advisory said.

According to CISA, the hackers have not exploited the vulnerability in the same way as a previous incident involving SolarWinds, in which threat actors added malicious code into the company's software updates, affecting thousands of corporate and government networks that used SolarWinds (see: SolarWinds Hackers Cast a Wide Net).

But the advisory warns that the hackers have been observed taking steps to escalate privileges, move laterally and maintain long-term and persistent access to compromised networks.

CISA is urging any organizations using JetBrains TeamCity software that did not already apply available patches to assume compromise and immediately initiate threat hunting activities. Organizations also are encouraged to report key findings to CISA and the FBI if a compromise is detected.

The mitigation techniques outlined in the advisory involve applying patches that JetBrains TeamCity released in mid-September, in addition to ensuring that host-based antivirus and endpoint monitoring solutions are enabled. The advisory also recommends requiring multifactor authentication, updating all operating systems and software, auditing log files and deploying threat hunting tools to identify suspicious behaviors on systems.

About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.