Foresttiger

Vulnerability updated a year ago (2024-11-29T14:07:42.908Z)

Download STIX

Preview STIX

ForestTiger is a software vulnerability that has been exploited by threat actors, specifically Diamond Fleet, to compromise system security. The flaw in the software design or implementation has enabled the group to execute malicious activities, primarily through PowerShell scripts to download two payloads from seemingly legitimate infrastructure that they had previously compromised. The exploitation of this vulnerability has been methodically planned and executed, demonstrating the advanced capabilities of the threat actor. The attackers have particularly used ForestTiger Backdoor as one of their main tools for exploiting the identified vulnerability. They have been observed compromising TeamCity servers to deploy this persistent backdoor, named after the vulnerability itself. The ForestTiger Backdoor has been used to run scheduled tasks on the compromised systems, further deepening the extent of the breach and enabling the attackers to maintain a steady grip on the infiltrated systems. One of the key malicious activities facilitated by the ForestTiger Backdoor is the dumping of LSASS (Local Security Authority Subsystem Service) credentials from memory. This operation allows the attacker to gain access to sensitive user authentication information, thereby posing a significant threat to data security. The use of ForestTiger vulnerability and its associated backdoor underscores the need for robust cybersecurity measures to protect against such sophisticated threats.

Description last updated: 2024-05-04T21:19:54.877Z

What's your take? (Question 1 of 4)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
CVE-2023-42793 is a possible alias for Foresttiger. CVE-2023-42793 is a critical security vulnerability identified in JetBrains TeamCity build management and continuous integration server. This flaw, characterized by an authentication bypass, was exploited by multiple threat actors throughout 2023 and into 2024. The first notable exploitation occurre	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Teamcity

Backdoor

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Diamond Sleet Threat Actor is associated with Foresttiger. Diamond Sleet, a threat actor linked to North Korea, has been identified as a significant cybersecurity concern. This group, also known as Selective Pisces, has targeted various sectors including media, defense, and IT organizations. The advanced persistent threat (APT) group is known for its supply	Unspecified	2

Source Document References

Information about the Foresttiger Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
ESET	a month ago	Gotta fly: Lazarus targets the UAV sector
Securelist	a year ago	Lazarus targets nuclear-related organization with new malware
BankInfoSecurity	2 years ago	North Korean Hackers Exploiting Critical Flaw in DevOps Tool
InfoSecurity-magazine	2 years ago	North Korean Attackers Exploiting Critical CI/CD Vulnerability
CERT-EU	2 years ago	N. Korean Hackers Distribute Trojanized CyberLink Software in Supply Chain Attack
CERT-EU	2 years ago	North Korean Hackers Exploiting Recent TeamCity Vulnerability
CERT-EU	2 years ago	North Korean State Actors Attack Critical Bug in TeamCity Server