Advisory November 10, 2023

SysAid IT Vulnerability

SysAid IT Support Software Vulnerability CVE-2023-47246

Overview

Multiple reports indicate that threat actors, specifically identified as Lace Tempest (also known as Fin11 and TA505), are actively exploiting a zero-day vulnerability in the popular service management software SysAid. The exploitation has resulted in unauthorized access to corporate servers, data theft, and the deployment of the notorious Clop ransomware. The path traversal vulnerability, tracked as CVE-2023-47246, was discovered by Microsoft Threat Intelligence on November 2, prompting SysAid to develop and release a patch promptly.

Affected Software

  • SysAid versions prior to 23.3.36

Details of the Exploitation

  1. Vulnerability Description: CVE-2023-47246 is a path traversal vulnerability leading to unauthorized code execution within on-premise SysAid servers.
  2. Attack Methodology: Threat actors leverage the zero-day flaw to upload a Web Application Resource (WAR) archive, including a webshell, into the webroot of the SysAid Tomcat web service. This allows for additional PowerShell scripts, leading to the deployment of GraceWire malware.
  3. Post-Exploitation Behavior: Following data exfiltration, attackers attempt to erase their tracks using PowerShell scripts that delete activity logs. Lace Tempest also deploys additional scripts, fetching a Cobalt Strike listener on compromised hosts.

Recommendations

  1. Update Software: SysAid has released a patch for CVE-2023-47246 in version 23.3.36. All users are strongly advised to update their systems immediately.
  2. Server Check: System administrators should conduct thorough checks for signs of compromise using the provided guidelines:
    • Look for unusual files in the SysAid Tomcat webroot, especially WAR, ZIP, or JSP files with anomalous timestamps.
    • Inspect the SysAid Tomcat service for unauthorized WebShell files and JSP files for malicious content.
    • Review logs for unexpected child processes indicating WebShell use.
    • Monitor key processes like spoolsv.exe, msiexec.exe, svchost.exe for signs of unauthorized code injection.

The SOC and Threat Hunting teams of OBRELA remain vigilant and are closely monitoring clients’ infrastructure regarding potential exploitation attempts and Indicators of Compromise.

References:

https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification

https://thehackernews.com/2023/11/zero-day-alert-lace-tempest-exploits.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-47246

https://www.rapid7.com/blog/post/2023/11/09/etr-cve-2023-47246-sysaid-zero-day-vulnerability-exploited-by-lace-tempest/

https://www.malwarebytes.com/blog/news/2023/11/update-now-sysaid-vulnerability-is-actively-being-exploited-by-ransomware-affiliate

Start Now