Microsoft: TeamCity CI/CD Environments Under Attack By North Korean Hackers

Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software supply chain security headlines from around the world, curated by the team at ReversingLabs .

This week: Microsoft warns that North Korean APT groups are actively targeting a critical remote code execution flaw in JetBrains TeamCity CI/CD application. Also, a report finds open source supply chain attacks have tripled since 2019.

This Week’s Top Story

Microsoft warned on Wednesday that it has observed two North Korean nation-state threat actors attacking software development organizations using the TeamCity continuous integration/continuous development (CI/CD) application. The North Korean hacking crews, dubbed “Diamond Sleet” and “Onyx Sleet,” are exploiting a remote code execution (RCE) vulnerability (CVE-2023-42793 ) that was recently discovered and patched in multiple versions of JetBrains TeamCity server.?

Microsoft said the groups in question have a history of successful “software supply chain attacks by infiltrating build environments.” It is advising development organizations that use the TeamCity CI/CD application to apply the company’s patch as soon as possible.?

The authentication bypass flaw in TeamCity On-Premises server software was discovered in early September and patched by JetBrains, TeamCity’s publisher, by late September, the company said in a blog post . The flaw enables an unauthenticated attacker with HTTP(S) access to a TeamCity server to perform a remote code execution (RCE) attack to obtain administrative control of the TeamCity server, the company said .

Microsoft said it detected attacks leveraging the flaw in early October. In the attacks, the North Korean threat actors were observed using a variety of malware and hacking tools to create backdoors in compromised Windows-based TeamCity environments.?

Those backdoors would be likely to persist even after the TeamCity security patch were applied, leaving victim organizations vulnerable to follow-on attacks, JetBrains warned.?

Microsoft said it did not discern any pattern in the attacks it has observed, which appear to be “opportunistic.” However, both the North Korean hacking groups are known to engage in more targeted attacks, with Diamond Sleet (ZINC) conducting espionage, data theft and destructive acts on targets that include media, IT services, and defense-related organizations. That includes attacks targeting security researchers in January 2021 and a software supply chain compromise of a German software provider in August.

The Onyx Sleet (PLUTONIUM) group has been observed targeting defense and IT services organizations in South Korea, the United States, and India.?

Microsoft urged customers to take steps to apply the needed patch immediately and provided a list of Indicators of Compromise (IOCs) that firms can use to determine whether they had been victimized. IT assets that exhibit evidence of compromise should be assumed to be under the control of attackers and immediately isolated, the company said.?

This Week’s Headlines

OpenSSF Launches Malicious Packages Repository

The Open Source Security Foundation (OpenSSF) launched a Malicious Packages Repository which it said is intended to counter the threat of malicious open source packages, Hack Read reports .

The repository is intended to address the growth in cyberattacks that use deceptive open source packages to compromise development organizations. ( HackRead Media )

Open Source Software Supply Chain Attacks Triple?

Software supply chain attacks have doubled in a year, tripling since 2019, with over 245,032 malicious packages in open source projects, according to a report by the firm Sonatype, according to a report in CPO Magazine . That means one in eight open source downloads pose a known and avoidable risk, the firm said in its annual “State of the Software Supply Chain Report .” There are other warnings for development organizations, as well. Only 11% of the projects surveyed by Sonatype were actively maintained, down 18% from 2022. And developers continue to lean on known-vulnerable open source packages. Sonatype estimated that some 2.1 billion downloads of vulnerable open source packages could have been avoided given that updated, non-vulnerable versions of the same packages were available. Hackers have taken notice. Sonatype notes that APT groups, like North Korea's Lazarus, are increasingly interested in supply chain attacks. ( CPO Magazine )

Supply Chain Attack Targets Telegram, AWS and Alibaba Cloud

The cybersecurity firm Checkmarx said this week t hat it discovered a new supply chain attack that targeted popular platforms including the Telegram encrypted messaging service, Alibaba Cloud, and AWS, Hack Read reported . The attack, which was spotted in September, saw attackers inject malicious code into open-source projects and compromised systems using so-called “starjacking” and “typosquatting” techniques, which seek to fool developers into incorporating malicious packages into applications. The malicious code included a package dubbed “Telethon 2” which mimicked the official Telethon package but included hidden malicious code intended to steal sensitive data. ( HackRead Media )?

Google Links WinRAR Exploitation To Russian, Chinese State Hackers

Google is reporting that state-backed hacking groups are targeting a high-severity vulnerability in WinRAR, a widely used compression software, Bleeping Computer reported . Google's Threat Analysis Group (TAG) wrote that it detected hackers from various countries, including Russia's Sandworm, APT28, and China's APT40, exploiting the bug. The vulnerability, identified as CVE-2023-38831, has been used as a zero-day exploit since April 2023. The state linked attackers delivered malware like Rhadamanthys infostealer, DarkMe, GuLoader, and Remcos RAT through malicious RAR and ZIP archives. Ukrainian users were targeted with fake invitations by Russian hackers, while Chinese hackers hit targets in Papua New Guinea. The WinRAR vulnerability in question was patched with WinRAR version 6.23 on August 2, 2023, underscoring the importance of patching to secure software and prevent exploitation of known vulnerabilities. ( BleepingComputer )

Resource Round up

Upcoming Webinar: Yara for the Holidays: Keep the Grinch Away with Custom Automation | October 25

Cyber threats like phishing and ransomware spike during the holiday season, preying on employees and businesses. As security teams enjoy their holidays, threat actors ramp up their activities. Join us as we cover the trends and tips to prepare your SOC for the coming season.? Attendees will also receive a gift - Custom YARA Rules from RL. [Register Now ]

On Demand: Threat Modeling and Software Supply Chain Security: Why it matters more than ever.

In this webinar, Chris Romeo, CEO of Devici and joint-founder of the Threat Modeling Manifesto chats with ReversingLabs Field CISO Matt Rose about how threat modeling can be applied to supply chain security to better plan your organization’s risk management approach. [Watch Now ]

On Demand: Uncover Software Vendor Risk: How to use Software Supply Chain Analysis to Assess your Software Suppliers

Watch the ReversingLabs’ software package analysis platform in action to gain insight into a vendor’s CI/CD pipeline to help enhance your third party risk assessments. [Watch Now - no form fill required ]