In the world of cybersecurity, the threat landscape continually evolves. Most recently, North Korean threat actors have been exploiting a critical vulnerability in TeamCity, a popular continuous integration/continuous deployment (CI/CD) application used for DevOps and software development activities.
Since early October 2023, two North Korean threat groups, Diamond Sleet (also known as ZINC) and Onyx Sleet (referred to as PLUTONIUM), have been actively exploiting the TeamCity CVE-2023-42793 vulnerability. These groups have unique operational objectives and target different sectors. Diamond Sleet primarily focuses on espionage, data theft, financial gain, and network destruction, with targets including media, IT services, and defense-related entities. On the other hand, Onyx Sleet's activities are more concentrated on defense and IT services organizations in South Korea, the United States, and India.
The exploitation of the TeamCity vulnerability allows these threat actors to breach networks, with targets extending to employees at media, defense and aerospace, and IT service provider organizations in the US, UK, India, and Russia. Once inside, the attackers employ unique sets of tools and techniques. Notably, they use malware and tools such as ForestTiger, RollSling, FeedLoad, and HazyLoad.
JetBrains, the company behind TeamCity, has released an update and mitigation for the vulnerability. However, it's crucial for organizations to not only apply these updates but also investigate for potential intrusion, block in-bound traffic from specified IPs, and use security solutions like Microsoft Defender Antivirus, which detects and provides protection against these threats. It's also recommended to address any detected malicious activity and investigate the device timeline for indications of lateral movement activities.
Threat intelligence analysis presented at CyberWarCon 2022 by Microsoft and LinkedIn analysts highlighted the weaponization of legitimate open-source software by the North Korean threat actor ZINC, targeting various organizations. This strategy further underscores the sophistication of these threat actors and the necessity for robust cybersecurity measures.
Indicators of compromise (IOCs) and advanced hunting queries have been provided to aid organizations in further investigation and response. But the primary lesson here is the importance of maintaining up-to-date systems and robust security measures in the face of persistent and evolving threats.
In conclusion, as we advance further into the digital age, the cybersecurity landscape continues to evolve, and the threats continue to increase. Organizations must remain vigilant, ensuring their systems are updated and that they adopt a proactive approach to their cybersecurity measures.
“This blog was written by the Activated Solutions team. If you are a business owner or an individual concerned about your cybersecurity, it's time to take action. Activated Solutions can help you to protect your business and personal data from potential cyber threats.
Contact Activated Solutions today to learn more about how they can help you protect your business. With our expertise and commitment to cybersecurity, you can have peace of mind knowing that you are taking proactive steps to protect yourself and your business from potential data breaches.
For more information, please visit: activatedsolutions.ca.”
Works Cited:
"Multiple North Korean Threat Actors Exploiting the TeamCity CVE-2023-42793 Vulnerability." Microsoft Security Blog, 18 Oct. 2023, www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/.
"North Korean Hackers Exploit Critical TeamCity Flaw to Breach Networks." Bleeping Computer, www.bleepingcomputer.com/news/security/north-korean-hackers-exploit-critical-teamcity-flaw-to-breach-networks/.
"North Korea Hackers Exploit JetBrains TeamCity." Cybersecurity Dive, www.cybersecuritydive.com/news/north-korea-hackers-jetbrains-teamcity/697332/.
Comments