U.S. and U.K. cyber agencies have jointly issued a warning about the ongoing attacks by Russian-linked APT29 hackers, exploiting vulnerabilities in Zimbra and JetBrains TeamCity.
What happened
The National Security Agency (NSA), Federal Bureau of Investigation (FBI), U.S. Cyber Command’s Cyber National Mission Force (CNMF), and the U.K.’s National Cyber Security Centre (NCSC) have released an advisory warning against large-scale cyber-attacks led by APT29 hackers. These attacks are linked to Russia's Foreign Intelligence Service (SVR), exploiting the unpatched Zimbra Collaboration and JetBrains TeamCity (CVE-2023-42793) servers.
APT29, also known as Cozy Bear, has been using these vulnerabilities to steal email credentials and phish for unauthorized access, especially in sectors across the U.S. and Europe. The advisory urges organizations to patch the vulnerable servers immediately.
Backstory
APT29, also known as Cozy Bear or Midnight Blizzard, frequently targets Western governments and private organizations. The group is also responsible for the SolarWinds supply-chain attack last year, breaching several U.S. federal agencies. In February this year, Five Eyes issued a warning that APT29 started targeting cloud services.
Going deeper
Although the vulnerability CVE-2022-27924 was fixed in August 2022, it is continually used to steal credentials from unpatched Zimbra servers. Additionally, ransomware groups and North Korean hackers use CVE-2023-42793 to launch supply-chain attacks.
What was said
“This activity is a global threat to the government and private sectors and requires a thorough review of security controls, including prioritizing patches and keeping software up to date," said NSA Cybersecurity Director Dave Luber. "Our updated guidance will help network defenders detect these intrusions and ensure they are taking steps to secure their systems."
Why it matters
The APT29 attacks are a great risk to government and private organizations worldwide, the group's association with Russia's SVR, and its history of high-profile breaches. Targeting vulnerabilities in widely used platforms like Zimbra and TeamCity can lead to lead to massive disruptions, including data theft, operational downtime, and supply-chain attacks, affecting global sectors.
The bottom line
Organizations using Zimbra and JetBrains TeamCity must patch known system vulnerabilities to protect sensitive information from potential data breaches.
Apart from the imminent threat, the advisory is also a general reminder to organizations to continually monitor their systems and adhere to best practices like multi-factor authentication and encryption.
Learn more: HIPAA Compliant Email: The Definitive Guide
FAQs
What is a data breach?
A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
How does a vulnerability patch work?
A patch is a software update released by developers to fix vulnerabilities. It addresses the flaw by modifying or improving the affected code, preventing attackers from exploiting it.
How often should users update their browsers?
Users must enable automatic updates so that they always run the latest version. Regular updates protect users from known cyber vulnerabilities and improve browser performance.
