How Lazarus Group Exploits JetBrains TeamCity CVE-2023-42793 to Breach Crypto Infrastructure

The cybersecurity landscape in the cryptocurrency sector faces an evolving threat as state-sponsored hacking groups continue to refine their attack methodologies. On October 19, 2023, Microsoft revealed that multiple North Korean threat actors are actively exploiting a critical vulnerability in JetBrains TeamCity, a widely used continuous integration and continuous deployment server. The flaw, tracked as CVE-2023-42793, carries significant implications for crypto exchanges, wallet providers, and blockchain infrastructure companies that rely on CI/CD pipelines for their development workflows.

The Exploit Mechanics

CVE-2023-42793 is a critical-severity remote code execution vulnerability that allows unauthenticated attackers to gain administrator-level permissions on vulnerable on-premises TeamCity instances. JetBrains released patches for the bug on September 21, 2023, but in-the-wild exploitation attempts were reported just one week later, underscoring the speed at which sophisticated threat actors weaponize newly disclosed flaws.

At least two North Korean state-sponsored groups — Diamond Sleet (also known as Zinc, a sub-group of Lazarus) and Onyx Sleet (tracked as Plutonium or Andariel) — have been observed exploiting this vulnerability. Diamond Sleet deploys a persistent backdoor named ForestTiger after compromising TeamCity servers and uses it to dump LSASS credentials from memory, a technique commonly used to harvest administrative credentials that could grant access to cryptocurrency wallets, exchange APIs, and internal systems.

Onyx Sleet takes a different approach, creating new accounts on compromised systems to impersonate legitimate Windows accounts for Kerberos Ticket Granting Ticket operations. After fingerprinting the system, the attackers deploy proxy tools for persistent connections, sign in via Remote Desktop Protocol, and proceed to dump credentials and deploy additional tools for data theft.

Affected Systems

The scope of this vulnerability extends far beyond traditional software development environments. Crypto exchanges, decentralized finance protocols, and blockchain infrastructure providers frequently use CI/CD tools like TeamCity to manage their deployment pipelines. A compromised build server can serve as an entry point for supply chain attacks, where malicious code is injected into production builds without detection.

Microsoft assessed that the threat actors may be opportunistically compromising vulnerable servers, but both groups have deployed malware and tools enabling persistent access to victim environments. Given the history of North Korean cyber operations targeting cryptocurrency platforms — including the $53 million CoinEx theft and the $41 million Stake.com heist — any crypto-related organization running TeamCity servers faces elevated risk.

The Mitigation Strategy

Organizations in the cryptocurrency space should take immediate action to address this vulnerability. The first priority is applying the JetBrains patches for CVE-2023-42793 to all TeamCity instances. Additionally, security teams should investigate their networks for potential compromise using the indicators of compromise published by Microsoft, block traffic from identified malicious IP addresses, and review access logs for unusual administrative activity.

For crypto-specific defenses, organizations should implement multi-factor authentication on all CI/CD systems, restrict network access to build servers through zero-trust architecture, and deploy endpoint detection and response solutions capable of identifying credential dumping activities targeting LSASS memory.

Lessons Learned

This incident reinforces several critical security principles for the crypto industry. First, CI/CD infrastructure represents a high-value target that often receives less security attention than production systems. Second, the rapid weaponization of vulnerabilities — patches were available for only one week before exploitation began — demands accelerated patch management processes. Third, state-sponsored groups with demonstrated interest in cryptocurrency theft actively target the development supply chain as an attack vector.

The Lazarus Group alone has stolen billions of dollars in cryptocurrency over recent years, and their continued evolution toward supply chain compromises through CI/CD server exploitation represents a significant escalation that demands proactive defense measures across the entire crypto ecosystem.

User Action Required

If your organization operates JetBrains TeamCity servers, apply patches immediately and conduct a thorough security audit of build pipeline infrastructure. Verify that no unauthorized accounts have been created and that all deployed artifacts match their expected checksums. Exchange operators should review withdrawal and transaction monitoring systems for any signs of credential compromise. Individual crypto users should ensure they are using platforms that follow rigorous infrastructure security practices, including timely patching of development tools and supply chain integrity verification.

Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with qualified security professionals regarding your specific situation.