Microsoft researchers are warning about two North Korea state-linked threat actors abusing a critical vulnerability in JetBrains TeamCity, a widely used software development platform.
The critical vulnerability, listed as CVE-2023-42793, enables remote code execution in the on-premises version of TeamCity and was originally discovered by Sonar in early September.
Customers should upgrade to the patched version of the TeamCity server or apply the security plugin. If the server is publicly accessible over the internet and customers can’t immediately upgrade, customers should temporarily disconnect.
It remains unclear if customers that patched are still vulnerable to additional attacks or whether they may have been compromised prior to the mitigation steps. Microsoft says the observed North Korea-linked attacks began earlier this month.
The hackers, which Microsoft identifies as Diamond Sleet and Onyx Sleet under its naming taxonomy, are exploiting the vulnerability. The technology firm said the threat actors may be working to compromise vulnerable servers and have deployed malware, alongside other tools, to gain persistent access into targeted environments.
JetBrains officials warned that “any backdoors are likely to persist and remain undetected,” even after customers apply upgrades or security patches, the company said in an updated blog post.
“We are aware of a small number of TeamCity on-premises customers who have reached out to our support team over the previous few weeks expressing concerns their environments may have been compromised due to the CVE-2023-42793 vulnerability,” Daniel Gallo, TeamCity solutions engineer, told Cybersecurity Dive via email.
Gallo cautioned that JetBrains is not aware if its customers have been compromised in the manner Microsoft described.
Since TeamCity On-Premises is installed in environments maintained by customers, the company doesn’t have visibility into how those environments are configured, Gallo said.
TeamCity Cloud, the SaaS version of the application, was not impacted by the vulnerability.
After gaining access to customer environments, Diamond Sleet deployed a backdoor called ForestTiger, according to the Microsoft blog. Diamond Sleet also deploys malicious payloads for use in dynamic-link library search order hijacking attacks.
The Cybersecurity and Infrastructure Security Agency previously added the the authentication bypass vulnerability to its Known Exploited Vulnerabilities catalog.
While Microsoft primarily warned about Windows-based environment compromises, Linux-based environments may be under threat as well.
