Skip to main content
close search
site logo
Dive Brief

State-linked cyber actors behind SolarWinds plant seeds for new malicious campaign

U.S. authorities are raising alarms that the 2020 Sunburst attack threat actors are exploiting a CVE in JetBrains TeamCity in preparation for future supply chain compromises.

Published Dec. 15, 2023
David Jones's headshot
Reporter
Brightly colored digital lock with central computer processor and futuristic circuit board.
da-kuk via Getty Images

Dive Brief:

  • U.S. authorities warn that threat actors linked to the Russian Foreign Intelligence Service (SVR) are exploiting a critical vulnerability in JetBrains TeamCity software as part of a worldwide effort that could lead to extensive supply chain attacks.
  • The FBI, National Security Agency, Cybersecurity and Infrastructure Security Agency along with U.K. and Polish authorities said Nobelium/Midnight Blizzard — a threat group linked to the 2020 Sunburst attacks against SolarWinds — has been targeting hundreds of unpatched TeamCity servers across the globe, which are widely used for software development. 
  • The hackers have not yet launched supply chain attacks, but have used their initial access to escalate privileges, move laterally within systems and install malicious backdoors in preparation for larger attacks, authorities said.

Dive Insight:

Authorities said they are currently aware of a few dozen companies that have been compromised in the U.S., Europe, Asia and Australia. More than 100 devices have been compromised. 

Thus far, the confirmed incidents have hit a wide array of targets, including an energy trade group, software firms for medical devices, customer care, financial management, and video games.

Data from Shadowserver indicates about 800 unpatched instances worldwide as of Wednesday.

JetBrains is urging customers to upgrade TeamCity servers to the fixed version and if they can’t immediately upgrade to disconnect from the internet. 

Microsoft researchers in October warned about state-affiliated hackers linked to North Korea exploiting the vulnerability, listed as CVE-2023-42793, which enables remote code execution in the on-premises version of TeamCity. 

The North Korea-linked hackers, identified as Diamond Sleet and Onyx Sleet, were seen working together to install ForestTiger backdoors and then launching malicious payloads. 

In October, Fortiguard Labs responded to an incident at a U.S. biomedical manufacturing firm, where custom built-malware was found matching the GraphicalProton malware used by the threat actor, which is also known as APT 29. 

TeamCity had also been used by SolarWinds, but JetBrains in January 2021, denied it had been used for initial access into SolarWinds nor was it aware of any vulnerability that may have led to the attack. 

Editors' picks

Company Announcements

View all | Post a press release
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Traceable Releases 2025 State of API Security Report: API Breaches Persist as Fraud, Bot Attac…
From Traceable AI
October 30, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell