Russian Cyber Actors are Exploiting a Known Vulnerability with Worldwide Impact – National Security Agency

Official websites use .gov
Secure .gov websites use HTTPS

FORT MEADE, Md. – The National Security Agency (NSA), Federal Bureau of Investigation (FBI), and co-authoring agencies warn that Russian Foreign Intelligence Service (SVR) cyber actors are exploiting a publicly known vulnerability to compromise victims globally, including in the United States and in allied countries. To raise awareness and help organizations identify, protect, and mitigate this malicious activity, the authoring agencies have jointly released the Cybersecurity Advisory (CSA), “Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally.”
 
The CSA details the tactics, techniques, and procedures (TTPs) employed by the SVR actors, technical details of their operation, indicators of compromise (IOCs), and mitigation recommendations for network defenders.

“Russian cyber actors continue taking advantage of known vulnerabilities for intelligence collection,” said Rob Joyce, Director of NSA’s Cybersecurity Directorate. “It is critical to ensure systems are patched quickly, and to implement the mitigations and use the IOCs listed in this report to hunt for adversary persistent access.”

The U.S. Cybersecurity & Infrastructure Security Agency (CISA), the Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) collaborated with NSA and the FBI to assess the SVR cyber actors’ recent malicious activities.

The SVR cyber actors, who are also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard, have been targeting Internet-connected JetBrains TeamCity servers globally as early as September 2023. Victims identified in the report include companies that provide software for billing, medical devices, customer care, employee monitoring, financial management, marketing, sales, and video games, as well as hosting companies, tool manufacturers, small and large IT companies, and an energy trade association.

The CSA notes that SVR actors exploit a known vulnerability, CVE-2023-42793, to gain initial access to the TeamCity servers and then perform malicious activities, such as escalating privileges, moving laterally, deploying additional backdoors, and taking other steps to ensure persistent, long-term access to the compromised network environments.
 
According to the CSA, software developers use TeamCity servers to manage and automate software development, compilation, testing, and releasing. Access to a TeamCity server can provide malicious actors with access to source code, signing certificates, and the ability to subvert software compilation and deployment processes and conduct malicious supply chain operations.

The agencies recommend organizations implement the mitigations in the advisory to improve their cybersecurity posture based on the SVR cyber actors’ malicious activity. Mitigations listed in the CSA include implementing a patch issued by JetBrains TeamCity, deploying host-based and endpoint protection systems, using multi-factor authentication, and auditing log files.
 
Read the full report here.
Visit our full library for more cybersecurity information and technical guidance.
NSA Media Relations
MediaRelations@nsa.gov
443-634-0721
Civil Liberties, Privacy, & Transparency Office

source

Related Posts

After 6 months and little explanation, Norton Healthcare patients, employees still feeling effects of cyber attack – WDRB

Spotty shower possible. Storms after midnight Updated: April 16, 2024 @ 12:31 pmNorton Healthcare, a company serving about 600,000 patients a year with nearly $5 billion in assets, continues to…

Read more

CA's top cybersecurity job has been vacant for almost 2 years – CalMatters

Technology Californians get hacked all the time. The state’s top cybersecurity job is vacant In summaryGov. Newsom has yet to appoint a commander who is tasked with informing businesses and…

Read more

13 Cyber Security Measures Your Small Business Must Take – Tech.co

Our content is funded in part by commercial partnerships, at no extra cost to you and without impact to our editorial impartiality. Click to Learn MoreCybersecurity has been important to…

Read more

AVG Antivirus Free review – Ghacks

AVG AntiVirus Free is a longstanding security program for Microsoft Windows that protects computer systems from viruses, trojans and other malicious code.One interesting fact about AVG is that it maintains…

Read more

Vlog Episode #247: Chris Long on Improving Technical SEO Skills & Playing Offense SEO – Search Engine Roundtable

In part one, we learned about Chris Long and his experience working with Bill Slawski. Then, in part two, we spoke about helping people with SEO on LinkedIn and using…

Read more

Information Security Vs. Cybersecurity: What's The Difference? – Forbes

Information Security Vs. Cybersecurity: What’s The Difference?  Forbessource

Read more

Leave a Reply

Your email address will not be published. Required fields are marked *