cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Microsoft catches North Korean-backed hackers exploiting flaw in DevOps tool

Security researchers have observed two groups taking advantage of a remote code execution flaw in the TeamCity On-Premises server.

user icon David Hollingworth
Thu, 19 Oct 2023
Microsoft catches North Korean-backed hackers exploiting flaw in DevOps tool
expand image

TeamCity On-Premises is a popular continuous integration and deployment server development by Czech developer JetBrains.

Microsoft’s security people have been tracking the activity since early October 2023, observing the two groups – which Microsoft is dubbing Diamond Sleet and Onyx Sleet – exploiting CVE-2023-42793 for their operations.

“In past operations, Diamond Sleet and other North Korean threat actors have successfully carried out software supply chain attacks by infiltrating build environments,” Microsoft’s researchers said in a blog post.


“Given this, Microsoft assesses that this activity poses a particularly high risk to organisations [that] are affected.”

But while both threat actors are taking advantage of the same flaw, their methods and toolsets are unique.

Diamond Sleet – known to target defence companies and media all over the world – has been seen to use two attack paths. The first uses legitimate infrastructure to download two payloads via PowerShell – Forest64.exe and 4800-84DC-063A6A41C5C.

Together, the two ultimately install a backdoor, create persistence, and perform a credential dump.

The second attack vector uses PowerShell to download a malicious DLL from the attacker’s own infrastructure, which works alongside a legitimate .exe file.

“Once loaded in memory, the second-stage executable decrypts an embedded configuration file containing several URLs used by the malware for command and control,” Microsoft said.

“After successful compromise, Microsoft observed Diamond Sleet dumping credentials via the LSASS memory.”

In some cases, Diamond Sleet used a mix of both techniques on a single target.

Onyx Sleet, on the other hand, utilises the same vulnerability to create a new user account called “krtbgt”, probably designed to mimic the legitimate account name “KRBTGT”, or Kerberos Ticket Granting Ticket. Onyx Sleet then runs a range of system discovery commands to scout out the system, then deploys a proxy tool to maintain a connection between the compromised machine and the threat actor’s own command and control infrastructure.

From here, the attacker can sign in via a remote desktop, dump credentials, and deploy other tools. Interestingly, Onyx Sleet will also stop the TeamCity service entirely as a means to keep other threat actors off the system.

“As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised and provides them with the information they need to secure their environments,” Microsoft said.

JetBrains has since released an update that addresses CVE-2023-42793.

You can learn more about this campaign and find a complete list of indicators of compromise and mitigation advice, here.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.