Threat Research

Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability | Microsoft Security Blog

Securonix

Two North Korean threat actors, Diamond Sleet and Onyx Sleet, were observed exploiting CVE-2023-42793 in JetBrains TeamCity servers to gain access and persist in victim environments. They used two distinct attack paths—ForestTiger backdoor deployment and DLL search-order hijacking—along with credential dumping, account creation, and C2 activity, highlighting elevated risk for affected organizations. #DiamondSleet #OnyxSleet

Keypoints

  • Microsoft observed two North Korean threat actors, Diamond Sleet and Onyx Sleet, exploiting CVE-2023-42793 to target TeamCity servers.
  • Diamond Sleet path 1 deploys ForestTiger backdoor via PowerShell, including a startup-delivery mechanism and credential dumping via LSASS memory.
  • Diamond Sleet path 2 uses DLL search-order hijacking with DSROLE.dll and Version.dll to load and execute payloads in memory, with staged components and C2 communication.
  • Onyx Sleet path involves user account creation (krtbgt), system discovery, and deployment of a unique payload that establishes a persistent, covert connection (HazyLoad proxy tool).
  • Actors employ multiple techniques (PowerShell, DLL hijacking, scheduled tasks, RDP, credential dumping) to achieve persistence and lateral movement, sometimes using both paths in tandem.
  • Mitigations include applying JetBrains updates, using IOC data, blocking IOCs, enabling Defender features, and enforcing Safe DLL Search Mode and attack surface reduction rules.
  • Detections highlight specific Defender names (ForestTiger, RollSling, FeedLoad, HazyLoad) and Defender for Endpoint alerts related to these actors and activities.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The vulnerability CVE-2023-42793 was exploited to compromise TeamCity servers. “exploiting CVE-2023-42793, a remote-code execution vulnerability affecting multiple versions of JetBrains TeamCity server.”
  • [T1059.001] PowerShell – PowerShell is used to download payloads from attacker infrastructure. “Following successful compromise of TeamCity servers, Diamond Sleet utilizes PowerShell to download two payloads from legitimate infrastructure previously compromised by the threat actor.”
  • [T1105] Ingress Tool Transfer – Payloads are downloaded from attacker infrastructure using PowerShell. “PowerShell to download two payloads from legitimate infrastructure.”
  • [T1053.005] Scheduled Task – ForestTiger backdoor creates a scheduled task to run on startup. “creating a scheduled task named Windows TeamCity Settings User Interface so it runs every time the system starts with the above referenced command parameter.”
  • [T1003.001] LSASS Memory – ForestTiger dumps credentials via LSASS memory. “dump credentials via the LSASS memory.”
  • [T1574.001] DLL Search Order Hijacking – DLLs (DSROLE.dll, Version.dll) are used in hijacking DLL search order with legitimate binaries. “the DLL initiates a thread … the DLL is loaded by wsmprovhost.exe” and “loaded by clip.exe”
  • [T1055.001] Process Injection – Payloads are decrypted and loaded into memory for execution. “be launched in memory” and “embedded PE resource”
  • [T1021.001] Remote Services – Onyx Sleet uses RDP via an attacker-controlled account. “sign into the compromised device via remote desktop protocol (RDP)”
  • [T1082] System Information Discovery – Onyx Sleet performs system discovery commands. “system discovery commands on compromised systems, including: net localgroup … whoami … systeminfo”
  • [T1071.001] Web Protocols – C2 communications to multiple domains/URLs used for command and control. “URLs used by the malware for command and control”

Indicators of Compromise

  • [File path] ForestTiger components – C:ProgramDataForest64.exe, C:ProgramData4800-84DC-063A6A41C5C
  • [SHA-256] Forest64.exe hashes – e06f29dccfe90ae80812c2357171b5c48fba189ae103d28e972067b107e58795, 0be1908566efb9d23a98797884f2827de040e4cedb642b60ed66e208715ed4aa
  • [File path] ForestTiger config – C:ProgramData4800-84DC-063A6A41C5C
  • [URL] Staging and C2 URLs – hxxp://www.bandarpowder[.]com/public/assets/img/cfg.png, hxxps://www.bandarpowder[.]com/public/assets/img/cfg.png
  • [URL] Additional staging URLs – hxxp://www.aeon-petro[.]com/wcms/plugins/addition_contents/cfg.png, hxxp://www.bandarpowder[.]com/public/assets/img/user64.png, hxxps://www.bandarpowder[.]com/public/assets/img/user64.png
  • [Domain] C2 domains – dersmarketim[.]com, olidhealth[.]com, galerielamy[.]com, 3dkit[.]org
  • [URL] Version.dll and readme/md staging – hxxp://www.mge[.]sn/themes/classic/modules/ps_rssfeed/feed.zip, hxxp://www.mge[.]sn/themes/classic/modules/ps_rssfeed/feedmd.zip
  • [URL] Final callback URLs – https://vadtalmandir[.]org/admin/ckeditor/plugins/icontact/about.php, https://commune-fraita[.]ma/wp-content/plugins/wp-contact/contact.php
  • [File path] Onyx Sleet proxy payload – C:WindowsTemptemp.exe, C:WindowsADFSbginetmgr.exe
  • [Hash] Proxy tool loader – 000752074544950ae9020a35ccd77de277f1cd5026b4b9559279dc3b86965eee
  • [URL] HazyLoad staging – hxxp://147.78.149[.]201:9090/imgr.ico, hxxp://162.19.71[.]175:7443/bottom.gif

Read more: https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint