JetBrains vulnerability being exploited by North Korean gov’t hackers, Microsoft says

Multiple groups of hackers tied to North Korea’s government are targeting a vulnerability that emerged earlier this year in a popular product from Czech software giant JetBrains, Microsoft says.

Two groups tracked by Microsoft as Diamond Sleet and Onyx Sleet were seen exploiting CVE-2023-42793 — a bug found last month that affects a product called TeamCity, which is used by developers to test and exchange software code before its release.

The company published a patch for the issue on September 20 but the subsequent release of technical details led to immediate exploitation by a range of ransomware groups, according to researchers at PRODRAFT. More than 1,200 unpatched servers vulnerable to the issue were discovered.

Microsoft said on Wednesday that it has been notifying customers who are being targeted or who have already been compromised.

“While the two threat actors are exploiting the same vulnerability, Microsoft observed Diamond Sleet and Onyx Sleet utilizing unique sets of tools and techniques following successful exploitation,” Microsoft said.

“Based on the profile of victim organizations affected by these intrusions, Microsoft assesses that the threat actors may be opportunistically compromising vulnerable servers. However, both actors have deployed malware and tools and utilized techniques that may enable persistent access to victim environments,” they wrote.

Diamond Sleet was witnessed deploying backdoors through their compromise of the vulnerability — allowing them continuous access to a victim’s system. Onyx Sleet, meanwhile, creates a new user account on the compromised system and gives it administrator-level access.

From there, Onyx Sleet tries to steal credentials and other data stored by browsers while also stopping the TeamCity service, “likely in an attempt to prevent access by other threat actors.”

Microsoft did not respond to requests for comment about what organizations were attacked in the campaigns and what the overall goal was.

But both groups have been tracked by security companies and researchers for years. Onyx Sleet typically targets defense and IT services organizations in South Korea, the United States, and India.

Last year, Microsoft accused Onyx Sleet of creating the H0lyGh0st ransomware and using it to attack small businesses in several countries since September 2021.

The group went after manufacturing organizations, banks, schools, and event and meeting planning companies — demanding ransoms of up to 5 Bitcoins (about $140,000).

Diamond Sleet focuses its efforts on espionage, data theft, financial gain, and network destruction, targeting media, IT services, and defense-related entities around the world. The group made waves in September when Microsoft revealed it was targeting organizations in Russia, one of North Korea’s few allies.

Microsoft warned two weeks ago that hackers connected to Diamond Sleet were weaponizing legitimate open-source software.

When first discovered, CVE-2023-42793 caused significant alarm among researchers who explained that it could be used by hackers to take over a development pipeline, allowing them to move throughout a company’s internal network and do extensive damage.

Correction (10/19/2023): A previous version of this story cited a report from The New York Times speculating that JetBrains TeamCity was implicated in the SolarWinds cyberattacks. It was later revealed that SolarWinds' Orion product was the source of the issue — not TeamCity.