Created on 02-21-2024 09:23 PM Edited on 02-22-2024 10:58 AM
This article describes the JetBrains TeamCity Authentication Bypass Attack coverage with FortiNDR Cloud.
CVE-2023-42793 is a critical authentication bypass that could lead to unauthenticated remote code execution.
CVE ID
CVE-2023-42793 (https://nvd.nist.gov/vuln/detail/CVE-2023-42793)
NDR Cloud Detection Rule
Detection Rule Name
Category
Primary MITRE ID
FortiGuard Outbreak Alert: JetBrains TeamCity Auth Bypass Successful Attempt (CVE-2023-42793)
Attack: Exploitation
T1190 - Exploit Public-Facing Application
After exploitation, threat actors will use AnyDesk to perform further actions. Look for suspicious usage of AnyDesk using the following detection:
Potentially Unauthorized AnyDesk Remote Administration Tool
Posture: Potentially Unauthorized Software or Device
T1219 - Remote Access Software
Threat hunting
FortiNDR Cloud users can use the following IOCs from Fortinet to hunt for “JetBrains TeamCity Authentication Bypass Attack” related activities.
https://www.fortiguard.com/outbreak-ioc?tag=JetBrains%20TeamCity%20RCE
Suricata Coverage
Customers can create custom investigation/detections using the Suricata signatures below:
2048460 -> ET EXPLOIT JetBrains TeamCity Auth Bypass Attempt (CVE-2023-42793)
Other Fortinet Products
