North Korean Hackers Exploit JetBrains TeamCity Bug
In the ever-evolving landscape of cybersecurity, North Korean threat actors have been actively exploiting a critical security flaw in JetBrains TeamCity. These attacks, targeting vulnerable servers, exploit the CVE-2023-42793 vulnerability with a CVSS score of 9.8.
The responsible threat actors, Diamond Sleet and Onyx Sleet, both associated with the Lazarus Group, employ different methods to compromise TeamCity servers and establish persistent connections.
This latest wave of attacks highlights the increasing sophistication of the Lazarus Group and emphasizes the urgent need for enhanced cybersecurity measures.
Overview of the JetBrains TeamCity Vulnerability
The JetBrains TeamCity vulnerability is a critical security flaw that is currently being actively exploited by North Korean hackers. This vulnerability poses a significant threat to national security, as it allows threat actors to gain unauthorized access and execute remote code on TeamCity servers. The attacks have caught the attention of Microsoft, who have issued a warning about the ongoing exploitation by North Korean threat groups, Diamond Sleet and Onyx Sleet, both of which are associated with the Lazarus Group.
The attacks follow two distinct paths. In one approach, Diamond Sleet compromises TeamCity servers and deploys a known implant called ForestTiger from previously compromised infrastructure. In the other approach, a malicious DLL is retrieved and loaded using DLL search-order hijacking, leading to the execution of a next-stage payload or a remote access trojan. On the other hand, Onyx Sleet uses the TeamCity vulnerability to create a new user account named krtbgt, which is added to the Local Administrators Group. The threat actor then deploys a custom proxy tool called HazyLoad to establish a persistent connection with the compromised host.
The Lazarus Group, known for its advanced persistent threat activities, has been implicated in various cybercrimes, including financial crime and espionage. The group's activities are believed to be a significant source of revenue for the North Korean regime, funding their missile program and other illicit activities. In addition to the TeamCity vulnerability, Lazarus Group has also been observed using other malware families, such as Volgmer and Scout, to control infected systems and conduct spear-phishing attacks.
The exploitation of the JetBrains TeamCity vulnerability highlights the evolving offensive capabilities of North Korea and the need for robust cybersecurity measures to protect critical infrastructure. Organizations using JetBrains remote development servers, especially TeamCity, should ensure they promptly apply the necessary security patches to mitigate the risk posed by this vulnerability.
Attribution of the Attacks to North Korean Hackers
North Korean hackers have been attributed as the perpetrators behind the ongoing exploitation of the JetBrains TeamCity vulnerability, according to Microsoft. The Korean attacks, which involve the exploitation of CVE-2023-42793, have been linked to two threat activity clusters known as Diamond Sleet and Onyx Sleet, both of which are part of the Lazarus Group, a notorious North Korean nation-state actor.
In the attacks conducted by Diamond Sleet, compromised TeamCity servers are used to deploy a known implant called ForestTiger, while a second variant leverages the initial foothold to load a malicious DLL that executes a next-stage payload or a remote access trojan. On the other hand, Onyx Sleet uses the exploited vulnerability to create a new user account named krtbgt, which is added to the Local Administrators Group to gain further access. The attacks also involve the deployment of a custom proxy tool called HazyLoad and the use of the krtbgt account to sign into compromised devices via remote desktop protocol.
Attack Methods and Techniques Used by Diamond Sleet
Diamond Sleet, one of the threat activity clusters within the Lazarus Group, exploits the JetBrains vulnerability using sophisticated attack methods and techniques. According to Microsoft, Diamond Sleet employs two attack paths to breach vulnerable servers. In the first method, the threat actor compromises TeamCity servers and deploys a known implant called ForestTiger from previously compromised legitimate infrastructure. This implant allows the attacker to maintain persistence and control over the compromised system.
In the second attack variant, Diamond Sleet exploits the initial foothold to retrieve a malicious DLL (DSROLE.dll) using a technique called DLL search-order hijacking. This DLL is then loaded to execute a next-stage payload or a remote access trojan (RAT). Microsoft has observed instances where Diamond Sleet combines tools and techniques from both attack sequences.
On the other hand, Onyx Sleet, another threat activity cluster within the Lazarus Group, also exploits the JetBrains TeamCity vulnerability. Once successful, the attacker creates a new user account named 'krtbgt' to impersonate the Kerberos Ticket Granting Ticket. This account is added to the Local Administrators Group and is used to run system discovery commands on compromised systems. Onyx Sleet then deploys a custom proxy tool called HazyLoad to establish a persistent connection between the compromised host and attacker-controlled infrastructure.
Intrusion Tactics Employed by Onyx Sleet
Onyx Sleet, another threat activity cluster within the Lazarus Group, employs specific intrusion tactics when exploiting the JetBrains TeamCity vulnerability. Microsoft warns that the intrusions mounted by Onyx Sleet takes advantage of the access gained through the exploitation of the TeamCity bug to create a new user account named krtbgt. This account is likely intended to impersonate the Kerberos Ticket Granting Ticket.
After creating the account, the threat actors add it to the Local Administrators Group using the net use command. Additionally, they run several system discovery commands on compromised systems.
The attacks also involve the deployment of a custom proxy tool called HazyLoad. This tool helps establish a persistent connection between the compromised host and the attacker-controlled infrastructure. Another noteworthy post-compromise action is the use of the attacker-controlled krtbgt account to sign into the compromised device via remote desktop protocol (RDP). The threat actors then terminate the TeamCity service to prevent access by other threat actors.
These tactics employed by Onyx Sleet demonstrate a deliberate and strategic approach to infiltrating vulnerable servers. By leveraging the TeamCity vulnerability, the threat actors create a foothold within the compromised systems, allowing them to establish persistence and maintain control over the targeted infrastructure.
It is crucial for organizations to promptly patch the TeamCity vulnerability and implement robust security measures to defend against these intrusion tactics. Furthermore, ongoing monitoring and threat intelligence can help detect and mitigate potential attacks by Onyx Sleet and other threat actors within the Lazarus Group.