Two North Korean state-backed threat actors, dubbed Diamond Sleet and Onyx Sleet, can execute malicious code remotely on an application popular amongst DevOps and other software developers.
According to Microsoft, since early October 2023, Kim’s cyber armies have been exploiting a remote code execution vulnerability affecting multiple JetBrains TeamCity server versions. TeamCity is a continuous integration and deployment application.
The North Korean threat actors infiltrated the build environments and carried out successful supply chain attacks in past operations. Microsoft warns that this malicious activity poses a particularly high risk to affected organizations.
Victim organizations have been chosen indiscriminately, and threat actors seem to opportunistically attack and compromise vulnerable servers. The malware and tools that they use allow persistent access to victims' systems.
“If malicious code has been launched, the attacker has likely taken complete control of the device. Immediately isolate the system and perform a reset of credentials and tokens,” the report reads.
A patch for the vulnerability is already out. However, some organizations may need further mitigation and update their software to the latest version. The attackers are also known to drop additional tools to enable credential access, lateral movement, and other attack activities.
Microsoft directly communicates with customers targeted by nation-state actors.
Diamond Sleet (ZINC) is a known North Korean threat actor prioritizing espionage, data theft, financial gain, and network destruction. To target media, IT services, defense-related entities, and even security researchers around the world, ZINC weaponizes open-source software and conducts software supply chain compromises.
Onyx Sleet, also known as PLUTONIUM, is also a nation-state actor from North Korea, primarily targeting defense and IT services organizations in South Korea, the United States, and India. Onyx Sleet has developed a robust set of tools to establish persistent access and remain undetected. This threat actor frequently exploits known vulnerabilities.
More from Cybernews:
Subscribe to our newsletter