"North Korean Hackers Exploiting Recent TeamCity Vulnerability"

According to Microsoft, multiple North Korean threat actors have been observed exploiting a recent vulnerability in JetBrains’ TeamCity continuous integration and continuous deployment (CI/CD) server.  Tracked as CVE-2023-42793, the critical severity flaw allows unauthenticated attackers to execute code remotely on vulnerable on-premises TeamCity instances and gain administrator-level permissions.  JetBrains released patches for the bug on September 21, with the first in-the-wild exploitation attempts reported only one week later.  Microsoft noted that at least two North Korean state-sponsored threat actors, Diamond Sleet, and Onyx Sleet, have been exploiting CVE-2023-42793 in attacks.  The tech giant points out that the two groups have been known to conduct software supply chain attacks and warns that this activity poses a high risk to impacted organizations.  Based on the profile of victim organizations affected by these intrusions, Microsoft has claimed that the threat actors may be opportunistically compromising vulnerable servers.  However, both actors have deployed malware and tools and utilized techniques that may enable persistent access to victim environments.  Organizations are advised to apply patches for CVE-2023-42793 as soon as possible, to investigate their networks for potential compromise, block traffic from the IP addresses in Microsoft’s list of indicators of compromise (IoCs), immediately remediate any identified malicious activity, and investigate potential lateral movement.

SecurityWeek reports: "North Korean Hackers Exploiting Recent TeamCity Vulnerability"