Thomas Adams
- SAM Access – Registry Backup
- This actor has used built in commands to back up the registry to exfiltrate sensitive data from the host, they would use powershell to place zipfiles in C:\Windows\Temp for later exfiltration.
- WMI – WMIC
- This campaign uses many WMIC commands for host reconnaissance.
- Advanced - Arbitrary Mimikatz Command Execution
- APT 29 has been seen using at least five separate Mimikatz commands as part of their privilege escalation strategy. Using the NetSPI BAS platforms advanced plays it is simple to create multiple tests for the commands that are being used in this campaign.
- Scheduled Task - schtasks.exe
- The most common way they have being gaining persistent access is by using schedule tasks.
- Advanced - Arbitrary Windows Command Execution
- This advanced play allows us to quickly create tests for the built it Host Reconnaissance commands that have been reported in the advisory. This playbook includes four advanced plays to test the most common commands being run.
Mitigation
The first step should be to patch any JetBrains TeamCity servers in your network, NetSPI ASM can identify any that you are still hosting in your network and verify the issues were properly patch and watch for the introduction of potential future instances.
After patching, NetSPI BAS can help you evaluate if your current detective controls are able to detect and alert on this threat and determine how robust your current controls are.
For the automated plays the BAS platform provides detailed instructions on how and where to detect this activity.
Conclusion
Overall, this threat actor is following the growing trend of developing a 0-day exploit that they can use for initial access while leaning on relatively traditional post exploitation behavior to accomplish their goals. ASM can help identify and monitor for issues, and BAS can be used to simulate attacks and evaluate your monitoring.
Interested in working toward a more proactive security strategy? Our security consultants are here to help define the path. Let’s talk.
[post_title] => CISA Alert AA23-347a: NetSPI Coverage for JetBrains TeamCity CVE 2023-42793 [post_excerpt] => NetSPI has updated Attack Surface Management coverage for CVE-2023-42793 and released a BAS Playbook for detection coverage for the TTPS used. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-coverage-for-cve-2023-42793 [to_ping] => [pinged] => [post_modified] => 2023-12-21 12:57:36 [post_modified_gmt] => 2023-12-21 18:57:36 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=31654 [menu_order] => 27 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) ) [post_count] => 1 [current_post] => -1 [before_loop] => 1 [in_the_loop] => [post] => WP_Post Object ( [ID] => 31654 [post_author] => 173 [post_date] => 2023-12-21 12:26:36 [post_date_gmt] => 2023-12-21 18:26:36 [post_content] =>NetSPI has updated Attack Surface Management (ASM) coverage for CVE-2023-42793 and released a Breach and Attack Simulation (BAS) Playbook that allows you to quickly test if you have detection coverage for the TTPS used in a recent campaign by Russian Foreign Intelligence Service Actors also known as APT 29.
Summary
On December 13, 2023, the Cybersecurity & Infrastructure Security Agency (CISA) released Advisory AA23-347A. They assessed that APT 29 has been targeting JetBrains TeamCity servers vulnerable to CVE-2023-42793. After gaining initial access, APT29 attempted to escalate privileges, move laterally, deploy backdoors, and take additional steps to ensure long-term access to the compromised networks.
Details
In September 2023, APT 29 was observed scanning for and exploiting vulnerable versions of JetBrains TeamCity servers exposed to the internet. The vulnerability allowed APT 29 to bypass authentication and authorization controls and execute arbitrary code on targeted servers.
Using a combination of existing automated plays and the customizable Advanced plays available in the NetSPI Breach and Attack Simulation platform we were able to build a custom playbook to allow customers to test existing detection capabilities for this campaign. This playbook contains a total of 20 individual tests.
Some of the included procedures are:
- SAM Access – Registry Backup
- This actor has used built in commands to back up the registry to exfiltrate sensitive data from the host, they would use powershell to place zipfiles in C:\Windows\Temp for later exfiltration.
- WMI – WMIC
- This campaign uses many WMIC commands for host reconnaissance.
- Advanced - Arbitrary Mimikatz Command Execution
- APT 29 has been seen using at least five separate Mimikatz commands as part of their privilege escalation strategy. Using the NetSPI BAS platforms advanced plays it is simple to create multiple tests for the commands that are being used in this campaign.
- Scheduled Task - schtasks.exe
- The most common way they have being gaining persistent access is by using schedule tasks.
- Advanced - Arbitrary Windows Command Execution
- This advanced play allows us to quickly create tests for the built it Host Reconnaissance commands that have been reported in the advisory. This playbook includes four advanced plays to test the most common commands being run.
Mitigation
The first step should be to patch any JetBrains TeamCity servers in your network, NetSPI ASM can identify any that you are still hosting in your network and verify the issues were properly patch and watch for the introduction of potential future instances.
After patching, NetSPI BAS can help you evaluate if your current detective controls are able to detect and alert on this threat and determine how robust your current controls are.
For the automated plays the BAS platform provides detailed instructions on how and where to detect this activity.
Conclusion
Overall, this threat actor is following the growing trend of developing a 0-day exploit that they can use for initial access while leaning on relatively traditional post exploitation behavior to accomplish their goals. ASM can help identify and monitor for issues, and BAS can be used to simulate attacks and evaluate your monitoring.
Interested in working toward a more proactive security strategy? Our security consultants are here to help define the path. Let’s talk.
[post_title] => CISA Alert AA23-347a: NetSPI Coverage for JetBrains TeamCity CVE 2023-42793 [post_excerpt] => NetSPI has updated Attack Surface Management coverage for CVE-2023-42793 and released a BAS Playbook for detection coverage for the TTPS used. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-coverage-for-cve-2023-42793 [to_ping] => [pinged] => [post_modified] => 2023-12-21 12:57:36 [post_modified_gmt] => 2023-12-21 18:57:36 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=31654 [menu_order] => 27 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [comment_count] => 0 [current_comment] => -1 [found_posts] => 1 [max_num_pages] => 0 [max_num_comment_pages] => 0 [is_single] => [is_preview] => [is_page] => [is_archive] => [is_date] => [is_year] => [is_month] => [is_day] => [is_time] => [is_author] => [is_category] => [is_tag] => [is_tax] => [is_search] => [is_feed] => [is_comment_feed] => [is_trackback] => [is_home] => 1 [is_privacy_policy] => [is_404] => [is_embed] => [is_paged] => [is_admin] => [is_attachment] => [is_singular] => [is_robots] => [is_favicon] => [is_posts_page] => [is_post_type_archive] => [query_vars_hash:WP_Query:private] => d6d566406f0c5be8546a34549f1e2d88 [query_vars_changed:WP_Query:private] => [thumbnails_cached] => [allow_query_attachment_by_filename:protected] => [stopwords:WP_Query:private] => [compat_fields:WP_Query:private] => Array ( [0] => query_vars_hash [1] => query_vars_changed ) [compat_methods:WP_Query:private] => Array ( [0] => init_query_flags [1] => parse_tax_query ) )