Medium
The FBI, CISA, NSA, SKW, CERT.PL, and NCSC have jointly reported that Russian Foreign Intelligence Service (SVR) cyber actors, also known as APT 29, CozyBear, and NOBELIUM, are actively exploiting the CVE-2023-42793 vulnerability on servers hosting JetBrains TeamCity software since September 2023. The attackers leverage this access to escalate privileges, move laterally, deploy additional backdoors, and maintain long-term access to compromised networks. To evade detection, the threat actors employ various techniques, including a "Bring Your Own Vulnerable Driver" method, DLL hijacking vulnerabilities in Zabbix and Webroot antivirus software, and a covert communication channel using Microsoft OneDrive and Dropbox. Additionally, data exchanged via OneDrive and Dropbox are concealed within randomly generated BMP files for enhanced obfuscation. The Trellix Threat Intelligence Group (TIG) gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports. This campaign was researched by CISA and shared publicly https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
Detection rate is the number of artifact detections reported by McAfee global sensors for this threat over 8 days.
The detection rate bubbles are sized based on the values below: