CVE-2023-42793

Vulnerability updated 7 months ago (2024-05-04T19:16:28.149Z)

Download STIX

Preview STIX

CVE-2023-42793 is a critical security vulnerability identified in JetBrains TeamCity build management and continuous integration server. This flaw, characterized by an authentication bypass, was exploited by multiple threat actors throughout 2023 and into 2024. The first notable exploitation occurred in September 2023, with the threat group BianLian capitalizing on this vulnerability to conduct a supply chain attack. In addition to BianLian, Microsoft reported two North Korean threat groups, known as Diamond Sleet (or Zinc) and Onyx Sleet (or Plutonium), exploiting this remote code execution vulnerability. The North Korea-backed hacking groups Lazarus (Diamond Sleet) and Andariel (Onyx Sleet) have been particularly active in exploiting CVE-2023-42793. Microsoft outlined in October 2023 how these groups used this critical authentication bypass vulnerability in the JetBrains TeamCity server to breach target systems. By establishing persistent access to compromised hosts, they were able to use them as a beachhead for more widespread compromise of companies' systems and networks. In their attacks, these threat groups have also employed a custom proxy tool called HazyLoad, previously identified by Microsoft as part of intrusions weaponizing critical security flaws in JetBrains TeamCity. Specifically, Diamond Sleet was implicated last month in exploiting CVE-2023-42793, which has a high CVSS score of 9.8, to opportunistically breach vulnerable servers and deploy a backdoor known as ForestTiger. These incidents underscore the severity of the vulnerability and the need for organizations to apply patches promptly to protect their systems.

Description last updated: 2024-03-21T22:11:36.659Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Plutonium is a possible alias for CVE-2023-42793. Plutonium, also known as Jumpy Pisces and Andariel, is a notable threat actor historically involved in cyberespionage, financial crime, and ransomware attacks. Recent reports have revealed that advanced persistent threats (APTs) backed by Plutonium have been breaching the Sellafield's IT systems, wh	2
ZINC is a possible alias for CVE-2023-42793. Zinc, also known as Diamond Sleet, is a North Korea-based threat actor group that has been active since 2009. This group is notorious for its cyber-attacks aimed at collecting political, military, and economic intelligence on North Korea's foreign adversaries, and executing currency generation campa	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Teamcity

Microsoft

Vulnerability

Korean

Svr

CISA

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Diamond Sleet Threat Actor is associated with CVE-2023-42793. Diamond Sleet, a threat actor linked to North Korea, has been identified as a significant cybersecurity concern. This group, also known as Selective Pisces, has targeted various sectors including media, defense, and IT organizations. The advanced persistent threat (APT) group is known for its supply	has used	6
The Onyx Sleet Threat Actor is associated with CVE-2023-42793. Onyx Sleet, also known as Andariel, Silent Chollima, and Stonefly, is a North Korean state-sponsored cyber group under the RGB 3rd Bureau. This threat actor utilizes an array of malware to gather intelligence for North Korea, primarily conducting cyberespionage, but also engaging in ransomware activ	has used	5
The Andariel Threat Actor is associated with CVE-2023-42793. Andariel, a threat actor controlled by North Korea's military intelligence agency, the Reconnaissance General Bureau, has been actively conducting cyber espionage and ransomware operations. The group funds its activities through ransomware attacks primarily targeting U.S. healthcare entities. In som	Unspecified	4
The Lazarus Group Threat Actor is associated with CVE-2023-42793. The Lazarus Group, a notorious North Korean state-sponsored threat actor, is among the most prolific and dangerous cyber threat actors in operation. The group has been involved in several high-profile cyber-attacks, including Operation DreamJob in Spain, with the primary objective of funding North K	Unspecified	3
The APT29 Threat Actor is associated with CVE-2023-42793. APT29, also known as Midnight Blizzard and linked to Russia's Foreign Intelligence Service (SVR), is a notorious threat actor that has been implicated in several high-profile cyberattacks. The group has demonstrated sophisticated capabilities, exploiting vulnerabilities such as the WinRAR 0day flaw	Unspecified	2

Source Document References

Information about the CVE-2023-42793 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CISA	9 days ago	2023 Top Routinely Exploited Vulnerabilities \| CISA
Securityaffairs	a month ago	Russia-linked group APT29 is targeting Zimbra and JetBrains TeamCity servers on a large scale
Securityaffairs	3 months ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
Securityaffairs	4 months ago	security-affairs-malware-newsletter-round-5
CERT-EU	9 months ago	Response to CISA Advisory (AA24-057A): SVR Cyber Actors Adapt Tactics for Initial Cloud Access
CISA	4 months ago	North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs \| CISA
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 2
Securityaffairs	5 months ago	Security Affairs Malware Newsletter - Round 1
Securityaffairs	5 months ago	Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	5 months ago	Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	5 months ago	Security Affairs newsletter Round 476 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	6 months ago	Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION
DARKReading	6 months ago	Asian Threat Actors Use New Techniques to Attack Familiar Targets
Securityaffairs	7 months ago	Security Affairs newsletter Round 470 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	7 months ago	Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	7 months ago	Security Affairs newsletter Round 467 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	8 months ago	Security Affairs newsletter Round 466 by Pierluigi Paganini
InfoSecurity-magazine	8 months ago	Microsoft: China Using AI-Generated Content to Sow Division in US