Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability

Since early October 2023, Microsoft has observed two North Korean nation-state threat actors – Diamond Sleet and Onyx Sleet – exploiting CVE-2023-42793, a remote-code execution vulnerability affecting multiple versions of JetBrains TeamCity server.

Microsoft has recently detected two cyber threats targeting security researchers, pen testers, and employees at security and tech companies. The first threat is from an actor known as ZINC, which has been targeting employees at media, defense and aerospace, and IT service provider organizations in the US, UK, India, and Russia. The second threat is from a group of actors originating from North Korea, known as DEV-0530, which has been developing and using ransomware in attacks since June 2021.

Diamond Sleet and Onyx Sleet are two North Korean nation-state threat actors that have been exploiting a remote-code execution vulnerability, CVE-2023-42793, affecting multiple versions of JetBrains TeamCity server since early October 2023. Microsoft observed Diamond Sleet and Onyx Sleet utilizing unique sets of tools and techniques following successful exploitation. Diamond Sleet deployed the ForestTiger backdoor, which was used to dump credentials via the LSASS memory. Onyx Sleet created a new user account on compromised systems, added it to the Local Administrators Group, ran several system discovery commands, and deployed a unique payload to compromised systems. JetBrains has released an update to address this vulnerability and has developed a mitigation for users who are unable to update to the latest software version.

Microsoft recommends the following mitigations to reduce the impact of these threats: take immediate action to address malicious activity on the impacted device, investigate the device timeline for indications of lateral movement activities, block executable files from running unless they meet a prevalence, age, or trusted list criterion, and detections using Microsoft Defender Vulnerability Management, Microsoft Defender Antivirus, Microsoft Defender for Endpoint, Microsoft 365 Defender, and Microsoft Sentinel. Microsoft has been actively monitoring the activities of both ZINC and DEV-0530, and has been providing guidance to customers on how to protect themselves from these threats.

It is important for organizations to be aware of the risks posed by these actors and take the necessary steps to protect their systems. Microsoft is committed to protecting its customers from cyber threats and will continue to monitor and respond to malicious actors. Customers should remain vigilant and take the necessary steps to protect themselves from these threats.

Overall, this article provides an overview of the threat posed by Diamond Sleet and Onyx Sleet, the tools and techniques used by the actors, and recommended mitigation actions. It is important for organizations to be aware of the risks posed by these actors and take the necessary steps to protect their systems. Microsoft has

📓 Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability

👉🏽 Since early October 2023, Microsoft has observed two North Korean nation-state threat actors – Diamond Sleet and Onyx Sleet – exploiting CVE-2023-42793, a remote-code execution vulnerability affecting multiple versions of JetBrains TeamCity server. 👉🏽 Microsoft has detected cyber threats targeting security researchers and employees at tech companies. 👉🏽 Two threats include ZINC targeting media, defense, aerospace, and IT service provider organizations. 👉🏽 Another threat is DEV-0530, a North Korean group using ransomware since June 2021. 👉🏽 Diamond Sleet and Onyx Sleet are North Korean actors exploiting a remote-code execution vulnerability. 👉🏽 Microsoft observed unique tools and techniques used by Diamond Sleet and Onyx Sleet. 👉🏽 Mitigation steps include addressing malicious activity, investigating device timeline, and blocking executable files. 👉🏽 Microsoft recommends using various defender tools for vulnerability management and antivirus. 👉🏽 Microsoft actively monitors activities of ZINC and DEV-0530 and provides guidance to customers. 👉🏽 Organizations must be aware of the risks and take necessary steps to protect their systems. 👉🏽 Microsoft is committed to protecting customers and will continue monitoring and responding to threats.

🔗 source link: https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/

🔗 summarized content: https://hut.threathunterz.com/battlefield-intel/articles-and-reports/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability

#CyberThreats #ZINC #DEV0530 #MitigationActions #Microsoft