Russian foreign intelligence service spotted exploiting JetBrains vulnerability

Government agencies in the U.S., Poland and the U.K. said on Wednesday that Russia’s Foreign Intelligence Service (SVR) has been exploiting a vulnerability that was exposed earlier this year in a popular product from Czech software giant JetBrains.

Officials said they have notified dozens of companies across the U.S., Europe, Asia and Australia after discovering hundreds of compromised devices.

The agencies attributed the attacks to hackers within the SVR known as APT29 — also tracked by cybersecurity researchers as CozyBear or Midnight Blizzard — and said the “large scale” campaign began in September.

Microsoft previously said North Korean hackers were exploiting the bug — labeled CVE-2023-42793 — in September. It affects a product called TeamCity, which is used by developers to test and exchange software code before its release.

Now the SVR has been spotted “using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments,” Wednesday’s alert said.

“Generally, the victim types do not fit into any sort of pattern or trend, aside from having an unpatched, Internet-reachable JetBrains TeamCity server, leading to the assessment that SVR’s exploitation of these victims’ networks was opportunistic in nature and not necessarily a targeted attack.”

The organizations attacked include an energy trade association; companies that provide software for billing, medical devices, customer care, employee monitoring, financial management, marketing, sales, and video games; as well as web hosting companies, tool manufacturers, and small and large IT companies.

JetBrains published a patch for the issue on September 20 but the subsequent release of technical details led to immediate exploitation by a range of ransomware groups, according to researchers at PRODRAFT. More than 1,200 unpatched servers vulnerable to the issue were discovered.

"As of right now, according to the statistics we have, fewer than 2% of TeamCity instances still operate unpatched software, and we hope their owners patch them immediately," said Yaroslav Russkih, head of security at JetBrains. "This vulnerability only affects the on-premises instances of TeamCity, while our cloud version was not impacted."

Aimed at software developers

The advisory was published by the FBI, NSA, U.S. Cybersecurity & Infrastructure Security Agency (CISA), Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the UK’s National Cyber Security Centre (NCSC).

They warned that access to a TeamCity server would “provide malicious actors with access to that software developer’s source code, signing certificates, and the ability to subvert software compilation and deployment processes — access a malicious actor could further use to conduct supply chain operations.”

The advisory notes that the SVR previously conducted a similar attack using a vulnerability in SolarWinds' software, but has not used its access to the TeamCity vulnerability in the same way.

One of the main concerns raised in Wednesday’s advisory is the prospect of the SVR benefiting from the compromise of the networks of dozens of software developers who use TeamCity.

“While the authoring agencies assess the SVR has not yet used its accesses to software developers to access customer networks and is likely still in the preparatory phase of its operation, having access to these companies’ networks presents the SVR with opportunities to enable hard-to- detect command and control (C2) infrastructure,” they said.

Any organization with affected systems that did not immediately apply the patch issued by JetBrains should assume they were compromised and begin investigations.

The agencies said they have seen the SVR use the vulnerability to exfiltrate files that provide insight into a victim’s operating system and use several techniques to “disable or outright kill endpoint detection and response (EDR) and antivirus (AV) software.”

SVR hackers were seen using multiple custom-made and open source available tools and backdoors

“The FBI, CISA, NSA, SKW, CERT Polska, and NCSC assess the scope and indiscriminate targeting of this campaign poses a threat to public safety and recommend organizations implement the mitigations below to improve organization’s cybersecurity posture,” they said.

More than a decade in action

The agencies noted that the SVR has a long history of targeting public and private organizations’ networks globally since at least 2013. The SVR has shown a “a long-term targeting pattern aimed at collecting, and enabling the collection of, foreign intelligence, a broad concept that for Russia encompasses information on the politics, economics, and military of foreign states; science and technology; and foreign counterintelligence.”

The advisory adds that the U.S. government published a report in December 2016 highlighting the SVR’s role in the compromise of a U.S. political party leading up to a presidential election — a reference to the hack of the Democratic National Committee’s network.

The CIA told U.S. lawmakers at the time that most agencies believed the SVR conducted the hacks in an effort to help Donald Trump win the presidency. The SVR also hacked the Republican National Committee but did not release the information it stole from its network.

The hackers also targeted organizations involved in COVID-19 vaccine development and energy companies in 2020 with custom malware.

According to the advisory, the SVR’s hackers are currently involved in a campaign called “Diplomatic Orbiter” involving the compromise of diplomatic agencies — with dozens of embassies targeted across the world.

Microsoft published its own notice of the JetBrains attack, noting its previous advisory about multiple groups of hackers tied to North Korea’s government exploiting the vulnerability.

The tech giant said in its investigations, it has seen SVR hackers use the VaporRage malware. They echoed the law enforcement advisory, writing that they have also seen credential theft, attempts to turn off antivirus tools and efforts to gain deeper access to compromised systems.