The article discusses the ongoing cyber operations of the Russian Foreign Intelligence Service (SVR), particularly their exploitation of JetBrains TeamCity CVE-2023-42793 to target technology companies globally. The SVR’s tactics include host reconnaissance, DLL execution, and data exfiltration techniques. The article highlights the potential risks posed by the SVR’s access to software developers’ networks and outlines various Sigma Rules for threat hunting. Affected Platform: JetBrains TeamCity
Keypoints :
- SVR has been targeting networks to steal confidential information since 2013.
- Recent operations exploit CVE-2023-42793 in JetBrains TeamCity servers.
- SVR’s access to software developers’ networks could enable hard-to-detect command and control infrastructure.
- Threat hunting Sigma Rules are provided for various reconnaissance and exploitation techniques.
- SVR employs techniques to avoid detection, including using vulnerable drivers to disable EDR and AV software.
MITRE Techniques :
- Host Reconnaissance [T1033]: SVR uses built-in commands like whoami to gather privilege information.
- DLL Execution [T1203]: SVR executes DLLs like AclNumsInvertHost.dll for malicious purposes.
- Data Exfiltration [T1003.002]: SVR saves sensitive registry entries and exfiltrates them using backdoor capabilities.
- Command and Control [T1572]: SVR uses modified tools like rr.exe to establish tunnels to C2 infrastructure.
- Lateral Movement [T1210]: SVR modifies registry settings to enable remote connections and uses WMIC for lateral movement.
Indicator of Compromise :
- [ip address] 65.20.97[.]203
- [url] Poetpages[.]com
- [file name] AclNumsInvertHost.dll
- [file name] ModeBitmapNumericAnimate.dll
- [file name] UnregisterAncestorAppendAuto.dll
- Check the article for all found IoCs.
Full Research: https://malware.news/t/hunting-svr-russian-foreign-intelligence-service-svr-exploiting-jetbrains-teamcity-cve-globally/89913