JetBrains vulnerability being exploited by North Korean gov’t hackers, Microsoft says

Siva Ramakrishnan
Multiple groups of hackers tied to North Korea’s government are targeting a vulnerability that emerged earlier this year in a popular product from Czech software giant JetBrains, Microsoft says.

Multiple groups of hackers tied to North Korea’s government are targeting a vulnerability that emerged earlier this year in a popular product from Czech software giant JetBrains, Microsoft says.

Two groups tracked by Microsoft as Diamond Sleet and Onyx Sleet were seen exploiting CVE-2023-42793 — a bug found last month that affects a product called TeamCity, which is used by developers to test and exchange software code before its release.

The company published a patch for the issue on September 20 but the subsequent release of technical details led to immediate exploitation by a range of ransomware groups, according to researchers at PRODRAFT. More than 1,200 unpatched servers vulnerable to the issue were discovered.

Microsoft said on Wednesday that it has been notifying customers who are being targeted or who have already been compromised.

“While the two threat actors are exploiting the same vulnerability, Microsoft observed Diamond Sleet and Onyx Sleet utilizing unique sets of tools and techniques following successful exploitation,” Microsoft said.

“Based on the profile of victim organizations affected by these intrusions, Microsoft assesses that the threat actors may be opportunistically compromising vulnerable servers. However, both actors have deployed malware and tools and utilized techniques that may enable persistent access to victim environments,” they wrote.

Diamond Sleet was witnessed deploying backdoors through their compromise of the vulnerability — allowing them continuous access to a victim’s system. Onyx Sleet, meanwhile, creates a new user account on the compromised system and gives it administrator-level access.

From there, Onyx Sleet tries to steal credentials and other data stored by browsers while also stopping the TeamCity service, “likely in an attempt to prevent access by other threat actors.”

Microsoft did not respond to requests for comment about what organizations were attacked in the campaigns and what the overall goal was.

But both groups have been tracked by security companies and researchers for years. Onyx Sleet typically targets defense and IT services organizations in South Korea, the United States, and India.

Last year, Microsoft accused Onyx Sleet of creating the H0lyGh0st ransomware and using it to attack small businesses in several countries since September 2021.

The group went after manufacturing organizations, banks, schools, and event and meeting planning companies — demanding ransoms of up to 5 Bitcoins (about $140,000).

Diamond Sleet focuses its efforts on espionage, data theft, financial gain, and network destruction, targeting media, IT services, and defense-related entities around the world. The group made waves in September when Microsoft revealed it was targeting organizations in Russia, one of North Korea’s few allies.

Microsoft warned two weeks ago that hackers connected to Diamond Sleet were weaponizing legitimate open-source software.

JetBrains TeamCity, which is used by developers at Fortune 100 companies, was previously implicated in the SolarWinds fiasco by The New York Times, which attributed the wide-ranging hack to backdoors planted in an untold number of clients using TeamCity.

When first discovered, CVE-2023-42793 caused significant alarm among researchers who explained that it could be used by hackers to take over a development pipeline, allowing them to move throughout a company’s internal network and do extensive damage.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Moldovan accused of running cybercrime marketplace to face charges in US

Next Post

Ragnar Locker ransomware site taken down by FBI, Europol

Related Posts

CISA Warns: Hackers Actively Attacking Microsoft SharePoint Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a security flaw impacting the Microsoft Sharepoint Server to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation in the wild. The vulnerability, tracked as CVE-2023-24955 (CVSS score: 7.2), is a critical remote code execution flaw that allows an authenticated attacker with
Omega Balla
Read More

Russian TrickBot Mastermind Gets 5-Year Prison Sentence for Cybercrime Spree

40-year-old Russian national Vladimir Dunaev has been sentenced to five years and four months in prison for his role in creating and distributing the TrickBot malware, the U.S. Department of Justice (DoJ) said. The development comes nearly two months after Dunaev pleaded guilty to committing computer fraud and identity theft and conspiracy to commit wire fraud and bank fraud. "
Read More