U.S. and U.K. cyber agencies have jointly issued a warning about the ongoing attacks by Russian-linked APT29 hackers, exploiting vulnerabilities in Zimbra and JetBrains TeamCity.
The National Security Agency (NSA), Federal Bureau of Investigation (FBI), U.S. Cyber Command’s Cyber National Mission Force (CNMF), and the U.K.’s National Cyber Security Centre (NCSC) have released an advisory warning against large-scale cyber-attacks led by APT29 hackers. These attacks are linked to Russia's Foreign Intelligence Service (SVR), exploiting the unpatched Zimbra Collaboration and JetBrains TeamCity (CVE-2023-42793) servers.
APT29, also known as Cozy Bear, has been using these vulnerabilities to steal email credentials and phish for unauthorized access, especially in sectors across the U.S. and Europe. The advisory urges organizations to patch the vulnerable servers immediately.
APT29, also known as Cozy Bear or Midnight Blizzard, frequently targets Western governments and private organizations. The group is also responsible for the SolarWinds supply-chain attack last year, breaching several U.S. federal agencies. In February this year, Five Eyes issued a warning that APT29 started targeting cloud services.
Although the vulnerability CVE-2022-27924 was fixed in August 2022, it is continually used to steal credentials from unpatched Zimbra servers. Additionally, ransomware groups and North Korean hackers use CVE-2023-42793 to launch supply-chain attacks.
“This activity is a global threat to the government and private sectors and requires a thorough review of security controls, including prioritizing patches and keeping software up to date," said NSA Cybersecurity Director Dave Luber. "Our updated guidance will help network defenders detect these intrusions and ensure they are taking steps to secure their systems."
The APT29 attacks are a great risk to government and private organizations worldwide, the group's association with Russia's SVR, and its history of high-profile breaches. Targeting vulnerabilities in widely used platforms like Zimbra and TeamCity can lead to lead to massive disruptions, including data theft, operational downtime, and supply-chain attacks, affecting global sectors.
Organizations using Zimbra and JetBrains TeamCity must patch known system vulnerabilities to protect sensitive information from potential data breaches.
Apart from the imminent threat, the advisory is also a general reminder to organizations to continually monitor their systems and adhere to best practices like multi-factor authentication and encryption.
Learn more: HIPAA Compliant Email: The Definitive Guide
A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
A patch is a software update released by developers to fix vulnerabilities. It addresses the flaw by modifying or improving the affected code, preventing attackers from exploiting it.
Users must enable automatic updates so that they always run the latest version. Regular updates protect users from known cyber vulnerabilities and improve browser performance.