• Language chooser
    • USA (English)
    • France (Français)

virus logo Outbreak Alert

JetBrains TeamCity Authentication Bypass Attack

Released: Dec 15, 2023

Updated: Dec 15, 2023

Download PDF »

JetBrains TeamCity RCE

High Severity

Vulnerability, Attack Type

Watch Video

Advanced Persistent Threat Groups exploiting the flaw in (CI/CD) application

Multiple Threat actors seen exploiting the authentication bypass flaw in JetBrains TeamCity that could lead to remote code execution. If compromised, they can access a TeamCity server, gaining entry to a software developer's source code, signing certificates, and the power to manipulate software building and deployment procedures. This access could also be misused by these malicious actors to carry out supply chain operations. Learn More »

Common Vulnerabilities and Exposures

CVE-2023-42793

Background

TeamCity is a continuous integration/continuous deployment (CI/CD) application used by organizations for DevOps and other software development activities. Software developers use TeamCity software to manage and automate software compilation, building, testing, and releasing.

Threat Radar Overall Score:
CVSS Rating 9.0
FortiRecon Score 100/100
Known Exploited Yes
Exploit Prediction Score 97.1%
FortiGuard Telemetry 6633

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.


September 6, 2023: Researchers from Sonar discovered a critical TeamCity On-Premises vulnerability (CVE-2023-42793).

September 20, 2023: JetBrains released the advisory and hot fixes for the vulnerability.
https://blog.jetbrains.com/teamcity/2023/09/critical-security-issue-affecting-teamcity-on-premises-update-to-2023-05-4-now/

September 27, 2023: A public exploit for this vulnerability was released by Rapid7.

In mid-October 2023, the FortiGuard Incident Response (IR) team was engaged to investigate a compromised organization's network. See full details on the blog;
https://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793

Oct 18, 2023: Microsoft Threat Intelligence reported that multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability
https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/


December 13, 2023: FortiGuard Labs released a detailed threat research on a different threat actor, (APT-29) exploiting CVE-2023-42793
https://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793

December 13, 2023: CISA and Partners Release Advisory on Russian SVR-affiliated Cyber Actors Exploiting CVE-2023-42793
https://www.cisa.gov/news-events/alerts/2023/12/13/cisa-and-partners-release-advisory-russian-svr-affiliated-cyber-actors-exploiting-cve-2023-42793

According to CISA's advisory, as a result of this latest SVR cyber activity, they identified a few dozen compromised companies in the United States, Europe, Asia, and Australia and the Identified victims included: an energy trade association; companies that provide software for billing, medical devices, customer care, employee monitoring, financial management, marketing, sales, and video games; as well as hosting companies, tools manufacturers, and small and large IT companies.

Attack Sequence

Actions taken by cyber attacker or a malicious entity to compromise a target system or network.

FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.


PROTECT

  • AV

  • Vulnerability

  • AV (Pre-filter)

  • IPS

  • Web App Security

  • Web & DNS Filter

  • Botnet C&C

DETECT

  • Outbreak Detection

  • Threat Hunting

RESPOND

  • Assisted Response Services

  • Automated Response

RECOVER

  • NOC/SOC Training

  • End-User Training

IDENTIFY

  • Attack Surface Hardening

  • Business Reputation

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.


Loading ...

Indicators of compromise Indicators of compromise
IOC Indicator List
Indicator Type Status
0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8... file Active
109.237.96.124 ip Active
79.110.62.188 ip Active
olidhealth.com domain Active
01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695... file Active
185.174.137.26 ip Active
161.35.176.95 ip Active
164.90.205.35 ip Active
144.126.198.24 ip Active
165.227.151.123 ip Active
167.99.48.60 ip Active
199.195.253.124 ip Active
109.237.96.251 ip Active
198.46.215.243 ip Active
https://1drv.ms/i/s!AGVbcHFCdi2qiT4 url Active
103.76.128.34 ip Active
128.239.22.138 ip Active
167.114.3.69 ip Active
103.149.249.228 ip Active
212.113.106.100 ip Active
43.248.34.77 ip Active
195.80.148.18 ip Active
20.222.6.225 ip Active
77.246.102.14 ip Active
103.89.13.155 ip Active
104.207.152.236 ip Active
154.26.133.111 ip Active
167.179.75.213 ip Active
188.166.87.88 ip Active
195.246.120.4 ip Active
74.207.242.113 ip Active
45.82.122.161 ip Active
188.166.223.105 ip Active
45.144.3.138 ip Active
78.61.63.205 ip Active
1.53.255.131 ip Active
216.146.26.21 ip Active
154.204.32.84 ip Active
194.110.13.51 ip Active
23.19.117.56 ip Active
38.54.84.60 ip Active
85.203.36.195 ip Active
45.141.215.129 ip Active
82.118.29.13 ip Active
82.118.29.21 ip Active
45.138.16.63 ip Active
000752074544950ae9020a35ccd77de277f1cd5026b4b95... file Active
0be1908566efb9d23a98797884f2827de040e4cedb642b6... file Active
aeon-petro.com domain Active
bandarpowder.com domain Active
commune-fraita.ma domain Active
d9add2bfdfebfa235575687de356f0cefb3e4c55964c4cb... file Active
dersmarketim.com domain Active
e06f29dccfe90ae80812c2357171b5c48fba189ae103d28... file Active
f251144f7ad0be0045034a1fc33fb896e8c32874e0b0586... file Active
fa7f6ac04ec118dd807c1377599f9d369096c6d8fb1ed24... file Active
http://147.78.149.201:9090/imgr.ico url Active
http://162.19.71.175:7443/bottom.gif url Active
http://www.aeon-petro.com/wcms/plugins/addition... url Active
http://www.aeon-petro.com/wcms/plugins/addition... url Active
http://www.bandarpowder.com/public/assets/img/cfg.png url Active
http://www.bandarpowder.com/public/assets/img/u... url Active
http://www.mge.sn/themes/classic/modules/ps_rss... url Active
http://www.mge.sn/themes/classic/modules/ps_rss... url Active
https://commune-fraita.ma/wp-content/plugins/wp... url Active
https://www.bandarpowder.com/public/assets/img/cfg.png url Active
https://www.bandarpowder.com/public/assets/img/... url Active
3dkit.org domain Active
galerielamy.com domain Active
mge.sn domain Active
vadtalmandir.org domain Active
147.78.149.201 ip Active
147.78.149.201:9090 ip Active
162.19.71.175 ip Active
162.19.71.175:7443 ip Active
https://vadtalmandir.org/admin/ckeditor/plugins... url Active
170.64.220.72 ip Active
188.166.148.243 ip Active
194.38.22.53 ip Active
91.103.253.147 ip Active
65.20.97.203 ip Active
65.20.97.203:443 ip Active
65.21.51.58 ip Active
http://poetpages.com:8443/ url Active
https://matclick.com/wp-query.php url Active
matclick.com domain Active
poetpages.com domain Active
18101518eae3eec6ebe453de4c4c380160774d7c3ed5c79... file Active
4bf1915785d7c6e0987eb9c15857f7ac67dc365177a1707... file Active
620d2bf14fe345eef618fdd1dac242b3a0bb65ccb75699f... file Active
8afb71b7ce511b0bce642f46d6fc5dd79fad86a58223061... file Active
cb83e5cb264161c28de76a44d0edb450745e773d24bec58... file Active
219fb90d2e88a2197a9e08b0e7811e2e0bd23d592332875... file Active
92c7693e82a90d08249edeafbca6533fed81b62e9e056de... file Active
c832462c15c8041191f190f7a88d25089d57f78e97161c3... file Active
d724728344fcf3812a0664a80270f7b4980b82342449a8c... file Active
01b5f7094de0b2c6f8e28aa9a2ded678c166d615530e595... file Active
128.239.22.138:443 ip Active
19f1ef66e449cf2a2b0283dbb756850cca396114286e148... file Active
1e74cf0223d57fd846e171f4a58790280d4593df1f23132... file Active