The U.S. and U.K. cyber agencies have issued a joint advisory warning about Russian Foreign Intelligence Service (SVR)-linked attackers, tracked as APT29 (a.k.a Cozy Bear or Midnight Blizzard). These actors are exploiting vulnerabilities in Zimbra and JetBrains TeamCity servers to gain unauthorized access, steal credentials, and enable ransomware and supply chain attacks.
APT29 has been known to employ various tactics, including phishing, password spraying, and abusing trusted relationships for lateral movement. They prioritize anonymity, using the TOR network, proxies, and leased infrastructure for obfuscation. The group also relies heavily on pre-compromised systems, cloud misconfigurations, and weak access controls to avoid detection.
APT29 has been observed targeting two vulnerabilities: the first is CVE-2022-27924, a command injection vulnerability in Zimbra Collaboration Suite, exploited since August 2022 to steal email credentials and compromise email accounts. The second one, CVE-2023-42793, is an authentication bypass vulnerability in JetBrains TeamCity, exploited to gain arbitrary code execution for initial access and privilege escalation. These exploits have also been linked to ransomware groups and North Korean actors targeting supply chains.