Microsoft takes down Russian hackers Midnight Blizzard targeting TeamCity servers

It's not the first attack by the group.

Reading time icon 1 min. read


Readers help support MSPoweruser. When you make a purchase using links on our site, we may earn an affiliate commission. Tooltip Icon

Read the affiliate disclosure page to find out how can you help MSPoweruser effortlessly and without spending any money. Read more

Key notes

  • Russian nation-state threat actor Midnight Blizzard tried to get into TeamCity servers.
  • Microsoft intervened the attempt & mitigated the campaing.
  • Midnight Blizzard joins the ranks of other nation-state threat actors, including North Korean groups Diamond Sleet and Onyx Sleet.

Russian nation-state threat actor called Midnight Blizzard is exploiting a publicly available exploit for CVE-2023-42793 to target TeamCity servers.

Microsoft has taken steps to disrupt and mitigate this campaign and recommends that organizations patch the vulnerability, enable network segmentation, implement multi-factor authentication, monitor network traffic, and use security solutions to protect against this threat.

This vulnerability, which was discovered in early November, affects the popular continuous integration and continuous delivery (CI/CD) platform TeamCity.

Midnight Blizzard joins the ranks of other nation-state threat actors, including North Korean groups Diamond Sleet and Onyx Sleet, that have been observed exploiting the CVE-2023-42793 vulnerability in October.

After successfully exploiting the vulnerability, Midnight Blizzard installs a variant of the VaporRage malware and uses scheduled tasks to maintain its persistence on the compromised system. 

This variant, which is similar to malware used in previous phishing campaigns by the threat actor, communicates with the command and control (C2) server using Microsoft OneDrive or Dropbox.

Microsoft Defender Antivirus and Microsoft Defender for Endpoint provide protection against this and other Midnight Blizzard malware, including disrupting the abuse of Microsoft OneDrive for C2.