US, UK warn of Russian APT29 hackers targeting Zimbra, TeamCity servers

U.S. and U.K. cyber agencies warned today that APT29 hackers linked to Russia’s Foreign Intelligence Service (SVR) target vulnerable Zimbra and JetBrains TeamCity servers “at a mass scale.”

A joint advisory issued by the NSA, the FBI, the U.S. Cyber Command’s Cyber National Mission Force (CNMF), and the U.K.’s NCSC warns network defenders to patch exposed servers to block these ongoing attacks.

The four cyber agencies said the hacking group targets unpatched Zimbra and TeamCity servers exposed online “at a mass scale to target victims worldwide across a variety of sectors ” using CVE-2022-27924 and CVE-2023-42793 exploits.

CVE-2022-27924 has been exploited since at least August 2022 to steal email account credentials from unpatched Zimbra Collaboration instances, while CVE-2023-42793 was exploited by both ransomware gangs and North Korean hacking groups for initial access and attempted supply-chain attacks.

“Based on the SVR cyber actors’ TTPs and previous targeting, the authoring agencies assess they have the capability and interest to exploit additional CVEs for initial access, remote code execution, and privilege escalation,” they added.

The advisory lists two dozen vulnerabilities disclosed and fixed over the last six years and asks defenders to deploy security patches and apply mitigations to prevent security breaches.

​Also tracked as Cozy Bear, Midnight Blizzard (formerly Nobelium), and the Dukes, this SVR hacking group has been targeting government and private organizations across the United States and Europe for years.

The NSA, FBI, and CISA issued a similar advisory more than three years ago, in April 2021, after the APT29 hackers breached multiple U.S. federal agencies following the SolarWinds supply-chain attack they orchestrated.

They also hacked into NATO nations’ Microsoft 365 accounts to steal foreign policy-related data and breached the Exchange Online accounts of Microsoft executives and other companies in November 2023.

More recently, the Five Eyes (FVEY) intelligence alliance warned in February that APT29 had also started targeting potential victims’ cloud services.

“This activity is a global threat to the government and private sectors and requires thorough review of security controls, including prioritizing patches and keeping software up to date,” said NSA Cybersecurity Director Dave Luber.

“Our updated guidance will help network defenders detect these intrusions and ensure they are taking steps to secure their systems.”