Microsoft Corp. has issued a cautionary statement regarding the exploitation of a vulnerability in TeamCity servers by North Korean hacking groups Lazarus and Andariel. Their objective is to deploy malware, aiming to compromise the software supply chain.
TeamCity is a continuous integration and continuous deployment server that organizations use as part of their software development infrastructure.
In September, TeamCity fixed a critical vulnerability CVE-2023-42793 (CVSS: 9.8), which allowed an unauthorized attacker to execute code remotely. Despite the rapid implementation of the vulnerability, cybercriminals began exploiting the flaw to hack into corporate networks.
According to Microsoft’s report, the Lazarus (Diamond Sleet, ZINC) and Andariel (Onyx Sleet, PLUTONIUM) groups are actively exploiting the CVE-2023-42793 vulnerability. Although the ultimate goal of the attacks is not yet known, experts speculate that it may be to carry out attacks on software providers.
Once a TeamCity server is compromised, cybercriminals use a variety of methods to deploy malware and gain permanent access to the infected network. In particular, Lazarus uses the ForestTiger malware as a backdoor to execute commands on the compromised server. ForestTiger allows hackers to have permanent and covert access to the system. In turn, Andariel creates an administrative account on the compromised server, allowing it to collect system information and execute commands.
Microsoft shared more detailed technical information on all types of attacks identified, including risk indicators.
CyberSec84 | Cybersecurity news. 
Leave a comment