Russian hackers targeting JetBrains TeamCity security flaws

A mysterious man holding a keyboard like a weapon
(Image credit: Shutterstock / leolintang)

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that Russian Foreign Intelligence Services are exploiting a vulnerability in popular CI/CD tool TeamCity.

CISA, together with the FBI and NSA, the UK’s National Cyber Security Centre (NCSC), and Poland’s Military Counterintelligence Service (SKW) and CERT Polska (CERT.PL), have together observed the Russian threat actor exploiting a CVE “at a large scale” since September 2023.

The group says that compromised TeamCity accounts could expose developer source code, signing certificates, and more.

Organizations warned of Russian hackers

CISA says its intention is to get organizations to conduct their own investigations and secure their networks. It’s also hoped that cybersecurity companies will be able to better prepare themselves for these attacks thanks to early warning from some of the world’s leading security bodies.

The group, known by a variety of names, including APT 29, the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard, and active since at least 2013, used similar methods to compromise SolarWinds customers in 2020. In fact, the US government has previously raised alarm bells about the group in other advisories over the years.

In this instance, the group exploits CVE-2023-42793 which results in arbitrary code excuse on the server by enabling the insecure handling of specific paths.

A description of the vulnerability reads: "In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible.”

CISA said that it was not aware of any other initial access vector to JetBrains TeamCity, but that companies across the US, Europe, and other parts of the world have been notified.

Just a few weeks ago, Microsoft said that North Korean hackers with state ties had also been exploiting the same CVE.

JetBrains has already issued a fix, meaning that the now opportunistic attacks rely on users who haven’t yet applied the update, further highlighting the sheer importance of staying on top of security fixes as and when they’re published.

More from TechRadar Pro

Craig Hale

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!