See All Posts

AttackIQ Flex

A Holiday Gift From AttackIQ: New Flex Test to Emulate Nobelium, Unveiling Cyber Threats to TeamCity Servers

Published December 27, 2023

We’ve got you covered this holiday season. AttackIQ Flex now includes adversary emulation for Nobelium's cyber threats to TeamCity servers. Read More

Old Dog, New Tricks

In a synchronized effort on December 13, 2023, major cybersecurity agencies—U.S. FBI, CISA, NSA, Poland’s SKW, CERT.PL, and the UK’s NCSC—issued a joint Cybersecurity Advisory (CISA AA23-347A) exposing Nobelium’s targeted campaign on JetBrains TeamCity servers since September 2023.

Nobelium, active since 2019 and linked to APT29, poses a significant threat with a history dating back to 2013. The breach on JetBrains TeamCity software is concerning, risking the exposure of source codes and certificates.

The SVR orchestrates these attacks using TeamCity CVE exploits, showcasing a tactical and persistent approach.

Ho Ho Ho, Now I Have A… New Flex Test!

We’ve got you covered this holiday season. AttackIQ Flex now includes a new adversary emulation, allowing you to test your security controls against this emerging threat. You can start testing for free today (or when you’re back in the office).

How It Works. Emulating SVR’s Intricate Tactics:

The SVR’s tactics unfold in a detailed emulation, starting with the exploitation of TeamCity CVE. The attacker deploys a backdoor, GraphicalProton, utilizing OneDrive, Dropbox, and BMPs for data exchange. Legitimate applications are then abused for DLL Side-Loading, creating a scheduled task for persistence. The adversary proceeds with local and network reconnaissance, credential collection, lateral movement via WMI, and establishes a tunnel to the C2 infrastructure using Rsockstun. The collected data is bundled, padded with benign data, and exfiltrated.

The Flex package includes the following scenarios:

  • Dump SAM Registry Hive via “reg save” Command
  • Binary Padding (appended 101 MB) Script
  • Save 2023-12 Modified rsockstun Sample to File System
  • Process Discovery Through Tasklist
  • System Owner Group Discovery
  • Enumerate Domain Controllers using Nltest
  • Save 2023-12 GraphicalProton HTTPS Sample to File System
  • Download 2023-10 GraphicalProton HTTP Sample to Memory
  • Enable Restricted Admin Mode via Registry
  • Persistence Through Scheduled Task
  • Kerberoasting using Rubeus
  • Dump Windows Passwords with Obfuscated Mimikatz
  • Dump SECURITY Registry Hive via “reg save” Command
  • Save 2023-12 Backdoored vcperf Sample to File System
  • Process Discovery Through WMI
  • Enable LM Hash Mode via Registry
  • Use Registry to Disable Security Features: Disable Local Security Authority (LSA) Protection
  • DLL Side-Loading
  • Data Staged Script
  • Save 2023-10 GraphicalProton HTTP Sample to File System
  • Dump SYSTEM Registry Hive via “reg save” Command
  • Download 2023-12 GraphicalProton HTTPS Sample to Memory
  • System Owner/User Discovery Script
  • Download 2023-12 Modified rsockstun Sample to Memory
  • Discover Windows Services via “Get-WMIObject Win32_Service” PowerShell Command
  • Discover Drivers via “Get-WindowsDriver” PowerShell Command
  • System Network Connections Discovery
  • Create Process Through WMI
  • Get Domain Controller Information through Windows Command Line

Sign up for AttackIQ Flex for free today to start your testing! Stay safe, keep testing! Happy holidays!

TAGS:

About the Author

  • Ben Forster
    Ben Forster
    Ben Forster is Senior Director of Product at AttackIQ where he leads product management and product marketing. Previously he led product for threat intelligence at Unit 42, and previously worked on SIEM, SASE, and zero trust products for Palo Alto Networks, Mandiant, and FireEye. Prior to this he worked in intelligence and policy consulting for the Department of Defense. Learn More