Ethical Hacking News
US and UK cyber agencies warn of a significant threat from APT29 hackers targeting vulnerable Zimbra and TeamCity servers, urging network defenders to take immediate action to patch exposed servers and prevent security breaches.
Apt29 hackers are targeting vulnerable Zimbra and JetBrains TeamCity servers worldwide, posing a significant risk to network defenders. The group has been linked to Russia's Foreign Intelligence Service (SVR) and has a reputation for carrying out high-profile attacks on government agencies and private organizations. Apt29 hackers use CVE-2022-27924 and CVE-2023-42793 exploits to target unpatched servers, with the former used since August 2022 to steal email account credentials. The advisory emphasizes that APT29 hackers have the capability and interest to exploit additional vulnerabilities for initial access, remote code execution, and privilege escalation. Network defenders are advised to deploy security patches and apply mitigations to prevent security breaches, prioritizing software patching and robust security controls.
Cybersecurity has been a pressing concern for organizations worldwide, with the constant threat of sophisticated hackers attempting to breach their defenses. Recently, a joint advisory issued by several prominent US and UK cyber agencies has highlighted the threat posed by APT29 hackers, linked to Russia's Foreign Intelligence Service (SVR). The advisory warns that these hackers are targeting vulnerable Zimbra and JetBrains TeamCity servers at a mass scale, posing a significant risk to network defenders worldwide.
The warning comes as no surprise, given the APT29 group's reputation for carrying out high-profile attacks on government agencies, private organizations, and cloud services. In April 2021, the NSA, FBI, and CISA issued a similar advisory after the group breached multiple US federal agencies following the SolarWinds supply-chain attack they orchestrated. More recently, in February, the Five Eyes (FVEY) intelligence alliance warned that APT29 had started targeting potential victims' cloud services.
According to the joint advisory, APT29 hackers use CVE-2022-27924 and CVE-2023-42793 exploits to target unpatched Zimbra and TeamCity servers. The former exploit has been used since at least August 2022 to steal email account credentials from unpatched Zimbra Collaboration instances. On the other hand, CVE-2023-42793 was exploited by both ransomware gangs and North Korean hacking groups for initial access and attempted supply-chain attacks.
The advisory emphasizes that APT29 hackers have the capability and interest to exploit additional vulnerabilities for initial access, remote code execution, and privilege escalation. The warning is based on previous targeting patterns and tactics, tactics, and procedures (TTPs) of the SVR cyber actors.
To mitigate this threat, network defenders are advised to deploy security patches and apply mitigations to prevent security breaches. The advisory lists two dozen vulnerabilities disclosed and fixed over the last six years, highlighting the importance of staying up-to-date with software patches and maintaining robust security controls.
The APT29 group is also known by other names, including Cozy Bear, Midnight Blizzard (formerly Nobelium), and the Dukes. These groups have been targeting government and private organizations across the United States and Europe for years, demonstrating their expertise in sophisticated cyber attacks.
In light of this new warning, it is essential for organizations to prioritize security patches, keep software up-to-date, and review their security controls to prevent similar breaches. The threat posed by APT29 hackers highlights the ongoing need for vigilance in the face of evolving cybersecurity threats.
Related Information:
https://www.bleepingcomputer.com/news/security/us-uk-warn-of-russian-apt29-hackers-targeting-zimbra-teamcity-servers/
https://www.securityweek.com/russian-cyberspies-exploiting-teamcity-vulnerability-at-scale-government-agencies/
https://nvd.nist.gov/vuln/detail/CVE-2022-27924
https://www.cvedetails.com/cve/CVE-2022-27924/
https://nvd.nist.gov/vuln/detail/CVE-2023-42793
https://www.cvedetails.com/cve/CVE-2023-42793/
https://en.wikipedia.org/wiki/Cozy_Bear
https://arstechnica.com/security/2024/01/the-life-and-times-of-cozy-bear-the-russian-hackers-who-just-hit-microsoft-and-hpe/
Published: Thu Oct 10 14:42:29 2024 by llama3.2 3B Q4_K_M
