Cybersecurity experts have reported that North Korean threat actors are leveraging a critical vulnerability in JetBrains TeamCity, specifically CVE-2023-42793, which carries a severe CVSS score of 9.8. This exploitation allows attackers to breach unprotected servers, with campaigns attributed to two distinct groups: Diamond Sleet, also known as Labyrinth Chollima, and Onyx Sleet, also referred to as Andariel or Silent Chollima.
Both of these threat clusters are affiliated with the notorious Lazarus Group, a state-sponsored cybercriminal organization from North Korea. As highlighted by Microsoft, the attacks by Diamond Sleet utilize an initial compromise of TeamCity servers to deploy a Trojan implant, identified as ForestTiger, from infrastructure previously compromised by the attackers.
The second attack variant takes advantage of the initial access gained to load a malicious DLL (DSROLE.dll, also known by other aliases) through a DLL search-order hijacking technique. This allows the attackers to execute subsequent malicious payloads or deploy remote access trojans (RATs). Microsoft indicates that elements from both attack methods were noted in certain instances, showcasing the sophisticated nature of these operations.
In parallel, the Onyx Sleet team exploits the same vulnerability to create a user account named krtbgt, likely designed to mimic a Kerberos Ticket Granting Ticket. The attackers then elevate their privileges by adding this account to the Local Administrators Group, executing various discovery commands to gather intelligence about compromised systems.
After establishing this foothold, the Onyx Sleet group deploys a custom proxy tool called HazyLoad, facilitating a persistent connection between the compromised host and the attackers’ controlled infrastructure. Remarkably, the attackers utilize the krtbgt account to access the devices via remote desktop protocol (RDP), terminating the TeamCity service to hinder detection or remediation by other malicious actors.
The Lazarus Group has garnered attention for its sophisticated APT (Advanced Persistent Threat) tactics, engaging in operations that include financial crimes and espionage, often utilizing cryptocurrencies to fund their initiatives. U.S. Deputy National Security Advisor Anne Neuberger has indicated that North Korea’s cyber operations surrounding cryptocurrency scams are a significant revenue source that supports the country’s missile development programs.
Furthering the concern, the AhnLab Security Emergency Response Center (ASEC) outlined additional malware families utilized by Lazarus, such as Volgmer and Scout, which serve as conduits for establishing backdoors into targeted systems. ASEC also pointed out the group’s ongoing campaigns, including Operation Dream Magic, which involves poisoning web content to exploit vulnerabilities in commercial products.
As North Korea continues to expand its cyber capabilities, ASEC recently linked another group, Kimsuky (APT43), to new spear-phishing attacks employing BabyShark malware to install a range of remote tools for system control and data exfiltration. This multi-faceted approach signifies the persistent threat posed by North Korean actors, emphasizing the importance of vigilance and robust cybersecurity measures within the business community.
