HQ/EMEAFind out how we can help your business
Microsoft warns everyone regarding the recent activities of North Korean hackers that use a TeamCity flaw to breach networks.
Based on reports, the hacking groups Lazarus and Andariel are exploiting the CVE-2023-42793 flaw in TeamCity servers to launch backdoor malware to execute software supply chain attacks.
TeamCity is an integral section of organisations’ software development infrastructure; hence, the critical score of the vulnerability is 9.8/10. This flaw could allow unauthorised attackers to execute code remotely.
Threat actors have quickly integrated the TeamCity flaw into their attack process.
According to investigations, North Korean hackers, especially ransomware gangs, have immediately leveraged the TeamCity flaw to execute their attacks despite its developers releasing an immediate patch to address the vulnerability.
Microsoft’s team noted that the Lazarus and Andariel groups have been the most active groups that capitalised on CVE-2023-42793 to compromise TeamCity servers.
The North Korean threat actors, including Diamond Sleet, have been notorious for carrying out successful software supply chain attacks by infiltrating build environments.
Once the TeamCity server breach occurs, the threat actors use various attack methods to introduce backdoors and establish persistence on the compromised network, which poses a significant threat to different organisations.
Lazarus, for instance, deployed the ForestTiger malware as part of one attack chain, which functions as a backdoor for executing commands on the flawed server. Another attack chain utilises DLL search order hijacking techniques to launch a malware loader named FeedLoad, facilitating the installation of a remote access Trojan (RAT).
On the other hand, another threat group called Andariel has taken a more hands-on approach in their attacks by creating a ‘krtbgt’ admin account on the compromised server and executing commands to harvest system information. Ultimately, these hackers deployed a payload that installed the HazyLoad proxy tool to acquire a persistent connection with the targeted server.
In all instances, these hackers eventually exfiltrate data from the Local Security Authority Subsystem Service, which they have used for lateral movement within the compromised network.
Organisations should research technical details and IoCs for all the attack chains and how the attackers exploited the TeamCity vulnerability to prevent or mitigate the threats caused by these hackers.
