Cozy Bear, a threat group linked to the Russian foreign intelligence service (SVR), has been hacking JetBrains TeamCity servers globally. The group has been exploiting an authentication bypass vulnerability in TeamCity since September 2023. The access gained through the vulnerability could be used to compromise source code, signing certificates, and software compilation and deployment processes. The SVR has been observed using the access to escalate privileges and deploy additional backdoors. Many companies have been notified after hundreds of compromised devices were discovered. The vulnerability was patched by JetBrains in September 2023, but some unpatched instances still exist. Cozy Bear is known for its involvement in various cyber attacks, including the SolarWinds campaign. Mitigation recommendations have been provided by CISA, including applying available patches and using multifactor authentication.

https://www.infosecurity-magazine.com/news/cozy-bear-russia-jetbrains-teamcity/