National Security Agency Posts Advisory on New Russian Cyberattack

The National Security Agency has warned that Russian Foreign Intelligence Service attackers are exploiting a publicly known vulnerability in servers hosting JetBrains TeamCity software.

Affected entities include information technology companies, tool manufacturers, an energy trade association and developers of billing, medical devices, employee monitoring, sales and video game software worldwide, the NSA said Wednesday.

A cybersecurity advisory released by the NSA, FBI and allied organizations identified the malicious cyber actors as Advanced Persistent Threat 29, CozyBear, the Dukes and NOBELIUM/Midnight Blizzard.

Since September, the attackers have been using the JetBrains TeamCity server vulnerability, officially named CVE-2023-42793, to gain initial server access. The cyber actors then escalate privileges and deploy additional backdoors to maintain persistent access.

According to the CSA, TeamCity servers provide management and automation capabilities to software developers. With access to such environments, malicious actors could conduct harmful supply chain operations and subvert software compilation and deployment processes.

The agencies advised organizations to install a JetBrains TeamCity patch, utilize multifactor authentication and deploy host-based and endpoint protection.