Pyongyang Hackers Exploiting Critical TeamCity Server Bug
North Korean nation-state threat actors are exploiting a critical remote code execution vulnerability affecting multiple versions of a DevSecOps tool – a high-risk development, especially in light of Pyongyang hackers’ recent track record of supply chain hacks.
Researchers at Microsoft said Wednesday that North Korean nation-state threat actors tracked as Diamond Sleet and Onyx Sleet are exploiting a remote code execution vulnerability affecting multiple versions of the JetBrains TeamCity server.
JetBrains on Sept. 21 issued a critical security update to patch its TeamCity build management and continuous integration server.
SonarSource first identified the flaw, tracked as CVE-2023-42793, and said that the vulnerability allows unauthenticated attackers to execute arbitrary code on the TeamCity on-premises server, which enables attackers to steal source code, service secrets and private keys (see: Ransomware Actors Exploit Critical Bug, Target DevOps Tool).
TeamCity’s on-premises CI/CD server is used by more than 30,000 users worldwide including Nike, Ferrari, Citibank and Ubisoft. Servers such as TeamCity are high-value targets for attackers.
The North Korean nation-state threat actor Diamond Sleet prioritizes espionage, data theft, financial gain and network destruction. It is known to target media, IT services and defense-related entities around the world.
Diamond Sleet previously targeted security researchers in January 2021 and weaponized open-source software in September 2022. In August, it conducted a software supply chain compromise of a German software provider (see: North Korean Hackers Target South Korean Naval Shipyards).
Onyx Sleet is another North Korean nation-state threat actor that primarily targets defense and IT services organizations in South Korea, the United States and India. It employs a set of tools developed in-house to establish persistent access to victim environments and remain undetected.
North Korean hackers earlier this year executed a likely first by using a supply chain hack against a financial trading software developer to cause a second supply chain hack to desktop phone developer 3CX (see: North Korean Hackers Chained Supply Chain Hacks to Reach 3CX).
Diamond Sleet used the backdoor
Forest64.exe, known as “ForestTiger.” Once hackers successfully compromise TeamCity servers, they use PowerShell to download two payloads – the backdoor and a malware configuration file – from legitimate infrastructure previously compromised by the threat actor.
When launched, ForestTiger checks for the configuration file and then reads and decrypts the contents of that file using an embedded key in order to obtain parameters such as the command-and-control server.
Microsoft said ForestTiger creates a scheduled task named
Windows TeamCity Settings User Interface to run every time the system starts.
Diamond Sleet also uses PowerShell on compromised servers to download a malicious DLL from attacker-controlled infrastructure. This malicious DLL is staged with a legitimate
.exe file to carry out DLL search-order hijacking.
Onyx Sleet has used the TeamCity exploit to create a new user account named “krtbgt” on compromised systems. The name likely is intended to impersonate the legitimate Windows account name KRBTGT, the Kerberos Ticket Granting Ticket, Microsoft said.
The threat actor adds the user account to the local administrators group, which enables it to run several system discovery commands on compromised systems, including:
net localgroup 'Remote Desktop Users'
net localgroup Administrators
cmd.exe "/c tasklist | findstr Sec"
cmd.exe "/c whoami"
cmd.exe "/c netstat -nabp tcp"
cmd.exe "/c ipconfig /all"
cmd.exe "/c systeminfo"
It deploys a unique payload to compromised systems by downloading it from attacker-controlled infrastructure via PowerShell. This payload loads and decrypts an embedded PE resource, which is loaded into memory and launched directly.
“The inner payload is a proxy tool that helps establish a persistent connection between the compromised host and attacker-controlled infrastructure. Microsoft Defender Antivirus detects this proxy tool as HazyLoad,” Microsoft said.
Microsoft said it had observed attackers using the “krtbgt” account to sign into the compromised device via remote desktop protocol, and it made attempts to stop other hackers from exploiting the vulnerability to access TeamCity.