CVE-2023-42793

Vulnerability updated 4 months ago (2024-05-04T19:16:28.149Z)

Download STIX

Preview STIX

CVE-2023-42793 is a critical security vulnerability identified in JetBrains TeamCity build management and continuous integration server. This flaw, characterized by an authentication bypass, was exploited by multiple threat actors throughout 2023 and into 2024. The first notable exploitation occurred in September 2023, with the threat group BianLian capitalizing on this vulnerability to conduct a supply chain attack. In addition to BianLian, Microsoft reported two North Korean threat groups, known as Diamond Sleet (or Zinc) and Onyx Sleet (or Plutonium), exploiting this remote code execution vulnerability. The North Korea-backed hacking groups Lazarus (Diamond Sleet) and Andariel (Onyx Sleet) have been particularly active in exploiting CVE-2023-42793. Microsoft outlined in October 2023 how these groups used this critical authentication bypass vulnerability in the JetBrains TeamCity server to breach target systems. By establishing persistent access to compromised hosts, they were able to use them as a beachhead for more widespread compromise of companies' systems and networks. In their attacks, these threat groups have also employed a custom proxy tool called HazyLoad, previously identified by Microsoft as part of intrusions weaponizing critical security flaws in JetBrains TeamCity. Specifically, Diamond Sleet was implicated last month in exploiting CVE-2023-42793, which has a high CVSS score of 9.8, to opportunistically breach vulnerable servers and deploy a backdoor known as ForestTiger. These incidents underscore the severity of the vulnerability and the need for organizations to apply patches promptly to protect their systems.

Description last updated: 2024-03-21T22:11:36.659Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Plutonium	2	Plutonium, a threat actor with potentially global implications, has been involved in several critical incidents. The group's activities have been traced back to the 1960s when alleged Israeli scientists visited NUMEC, claiming to obtain plutonium-238 for non-nuclear projects. The lack of stringent r
ZINC	2	Zinc, also known as Diamond Sleet, is a North Korea-based threat actor group that has been actively involved in cyberattacks on global media, defense, and IT industries. Microsoft's Threat Intelligence Center has been tracking the group's activities, which have included weaponizing open-source softw

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Teamcity

Microsoft

Vulnerability

Korean

Svr

CISA

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Diamond Sleet	has used	6	Diamond Sleet is a North Korea-linked Advanced Persistent Threat (APT) group that has emerged as a significant threat actor in the cybersecurity landscape. This entity, which could be an individual, private company, or government body, is responsible for executing actions with malicious intent. The
Onyx Sleet	has used	5	Onyx Sleet, also known as Andariel, DarkSeoul, Silent Chollima, and Stonefly/Clasiopa, is a threat actor associated with North Korea's state-sponsored cyber operations. This group operates under the Democratic People’s Republic of Korea (DPRK)’s Reconnaissance General Bureau (RGB) 3rd Bureau, based
Andariel	Unspecified	4	Andariel, a state-backed threat group linked to North Korea's Reconnaissance General Bureau, has been identified as a significant cyber threat. The group has demonstrated its capabilities by compromising critical national infrastructure organizations, accessing classified technical information and i
Lazarus Group	Unspecified	3	The Lazarus Group, a notorious threat actor associated with North Korea, has been implicated in several high-profile cyber attacks and exploitation activities. The group's objective often involves establishing a kernel read/write primitive, which allows them to gain high-level access to systems and
APT29	Unspecified	2	APT29, also known as Cozy Bear, Nobelium, The Dukes, Midnight Blizzard, BlueBravo, and the SVR group, is a Russia-linked threat actor notorious for its malicious cyber activities. In November 2023, this entity exploited a zero-day vulnerability in WinRAR software to launch attacks against various em

Source Document References

Information about the CVE-2023-42793 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	a month ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
Securityaffairs	a month ago	security-affairs-malware-newsletter-round-5
CERT-EU	6 months ago	Response to CISA Advisory (AA24-057A): SVR Cyber Actors Adapt Tactics for Initial Cloud Access
CISA	a month ago	North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs \| CISA
Securityaffairs	2 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	2 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	2 months ago	Security Affairs Malware Newsletter - Round 2
Securityaffairs	2 months ago	Security Affairs Malware Newsletter - Round 1
Securityaffairs	2 months ago	Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	3 months ago	Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	3 months ago	Security Affairs newsletter Round 476 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	3 months ago	Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION
DARKReading	4 months ago	Asian Threat Actors Use New Techniques to Attack Familiar Targets
Securityaffairs	4 months ago	Security Affairs newsletter Round 470 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	4 months ago	Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	5 months ago	Security Affairs newsletter Round 467 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	5 months ago	Security Affairs newsletter Round 466 by Pierluigi Paganini
InfoSecurity-magazine	5 months ago	Microsoft: China Using AI-Generated Content to Sow Division in US
Securityaffairs	5 months ago	Security Affairs newsletter Round 465 by Pierluigi Paganini
Securityaffairs	5 months ago	Security Affairs newsletter Round 464 by Pierluigi Paganini