iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Security researchers have observed two groups taking advantage of a remote code execution flaw in the TeamCity On-Premises server.
TeamCity On-Premises is a popular continuous integration and deployment server development by Czech developer JetBrains.
Microsoft’s security people have been tracking the activity since early October 2023, observing the two groups – which Microsoft is dubbing Diamond Sleet and Onyx Sleet – exploiting CVE-2023-42793 for their operations.
“In past operations, Diamond Sleet and other North Korean threat actors have successfully carried out software supply chain attacks by infiltrating build environments,” Microsoft’s researchers said in a blog post.
“Given this, Microsoft assesses that this activity poses a particularly high risk to organisations [that] are affected.”
But while both threat actors are taking advantage of the same flaw, their methods and toolsets are unique.
Diamond Sleet – known to target defence companies and media all over the world – has been seen to use two attack paths. The first uses legitimate infrastructure to download two payloads via PowerShell – Forest64.exe and 4800-84DC-063A6A41C5C.
Together, the two ultimately install a backdoor, create persistence, and perform a credential dump.
The second attack vector uses PowerShell to download a malicious DLL from the attacker’s own infrastructure, which works alongside a legitimate .exe file.
“Once loaded in memory, the second-stage executable decrypts an embedded configuration file containing several URLs used by the malware for command and control,” Microsoft said.
“After successful compromise, Microsoft observed Diamond Sleet dumping credentials via the LSASS memory.”
In some cases, Diamond Sleet used a mix of both techniques on a single target.
Onyx Sleet, on the other hand, utilises the same vulnerability to create a new user account called “krtbgt”, probably designed to mimic the legitimate account name “KRBTGT”, or Kerberos Ticket Granting Ticket. Onyx Sleet then runs a range of system discovery commands to scout out the system, then deploys a proxy tool to maintain a connection between the compromised machine and the threat actor’s own command and control infrastructure.
From here, the attacker can sign in via a remote desktop, dump credentials, and deploy other tools. Interestingly, Onyx Sleet will also stop the TeamCity service entirely as a means to keep other threat actors off the system.
“As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised and provides them with the information they need to secure their environments,” Microsoft said.
JetBrains has since released an update that addresses CVE-2023-42793.
You can learn more about this campaign and find a complete list of indicators of compromise and mitigation advice, here.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
