Cyber Threat Report: 'Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally'

Report Author	CISA
Publication Date	2023-12-13
Original Reporting	Source
Attributed to Nation	Russia
Related Intrusion Sets	Midnight Blizzard , NOBELIUM , Cozy Bear , The Dukes , APT29
Related Threat Actors	SVR - Russian Foreign Intelligence Service
Identified CVEs	CVE-2023-42793

This Cybersecurity Advisory by CISA with US and international partners outlines activity which they link to APT29 (also known as The Dukes, Cozy Bear, Midnight Blizzard) and the Russian Foreign Intelligence Service (SVR). The advisory contains technical details and MITRE ATT&CK techniques used by the group as part of a campaign which included exploitation of CVE-2023-42793 in Jet Brains' TeamCity at scale.

Cyber Threat Graph Context

Explore how this report relates to the wider threat graph

Mitigations to defend against the techniques in this report

Identified MITRE ATT&CK Techniques

ATT&CK ID	Title	Associated Tactics
T1590.004	Network Topology	Reconnaissance
T1041	Exfiltration Over C2 Channel	Exfiltration
T1053.005	Scheduled Task	Execution, Persistence, Privilege Escalation
T1562.001	Disable or Modify Tools	Defense Evasion
T1574.002	DLL Side-Loading	Defense Evasion, Persistence, Privilege Escalation
T1059.001	PowerShell	Execution
T1036	Masquerading	Defense Evasion
T1564	Hide Artifacts	Defense Evasion
T1033	System Owner/User Discovery	Discovery
T1567	Exfiltration Over Web Service	Exfiltration
T1190	Exploit Public-Facing Application	Initial Access
T1059.003	Windows Command Shell	Execution
T1020	Automated Exfiltration	Exfiltration
T1057	Process Discovery	Discovery
T1098	Account Manipulation	Persistence, Privilege Escalation
T1203	Exploitation for Client Execution	Execution
T1027.001	Binary Padding	Defense Evasion
T1568	Dynamic Resolution	Command and Control
T1547	Boot or Logon Autostart Execution	Persistence, Privilege Escalation
T1505.001	SQL Stored Procedures	Persistence
T1590	Gather Victim Network Information	Reconnaissance
T1210	Exploitation of Remote Services	Lateral Movement
T1564.001	Hidden Files and Directories	Defense Evasion
T1068	Exploitation for Privilege Escalation	Privilege Escalation
T1003.001	LSASS Memory	Credential Access
T1047	Windows Management Instrumentation	Execution
T1558.001	Golden Ticket	Credential Access
T1046	Network Service Discovery	Discovery
T1003.002	Security Account Manager	Credential Access
T1555.003	Credentials from Web Browsers	Credential Access
T1055	Process Injection	Defense Evasion, Privilege Escalation
T1592.002	Software	Reconnaissance
T1572	Protocol Tunneling	Command and Control

Cyber Threat Report: 'Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally'

Cyber Threat Graph Context

Mitigations to defend against the techniques in this report

Pre-compromise

Network Intrusion Prevention

Data Loss Prevention

User Account Management

Privileged Account Management

Audit

Operating System Configuration

Execution Prevention

Restrict File and Directory Permissions

Restrict Registry Permissions

Application Developer Guidance

Update Software

Disable or Remove Feature or Program

Code Signing

Antivirus/Antimalware

User Training

Behavior Prevention on Endpoint

Restrict Web-Based Content

Application Isolation and Sandboxing

Exploit Protection

Vulnerability Scanning

Network Segmentation

Multi-factor Authentication

Threat Intelligence Program

Password Policies

Credential Access Protection

Privileged Process Integrity

Active Directory Configuration

Filter Network Traffic

Identified MITRE ATT&CK Techniques