North Korean Hackers Exploit Teamcity Weaknesses

Microsoft Corporation has issued a warning about two North Korean hacker groups, Lazarus and Andariel, exploiting vulnerabilities in Teamcity servers to deploy malicious software in order to compromise the software supply chain.

Teamcity is a continuous integration and deployment server commonly used by organizations as part of their development infrastructure.

In September, a critical vulnerability (CVE-2023-42793) in Teamcity, which allowed unauthorized attackers to remotely execute code, was eliminated. Despite the prompt fix, cybercriminals have taken advantage of the vulnerability to hack into corporate networks.

According to a report by Microsoft, Lazarus groups (Diamond Sleet, Zinc) and Andariel (Onyx Sleet, Plutonium) have actively exploited the CVE-2023-42793 vulnerability. While the ultimate goal of these attacks remains unknown, experts suggest that it may involve targeting software suppliers.

Once they gain access to a Teamcity server, the cybercriminals employ various methods to deploy malicious software and maintain persistent access to the compromised network. Lazarus, for instance, uses a backdoor called Foresttiger to execute commands on the hacked server, providing them with constant and covert access to the system. On the other hand, Andariel creates an administrative account on the compromised server, enabling them to gather system information and execute commands.

Microsoft has released more detailed technical information regarding all identified types of attacks, including compromise indicators.

/Reports, release notes, official announcements.