Flash Notices

Flash Notice: Threat Actors Exploiting SysAid Zero-Day Vulnerability

Written by Marketing | Nov 14, 2023 3:07:53 PM

overview

This week, threat actors are actively exploiting a zero-day vulnerability (CVE-2023-47246) in the SysAid service management software. The vulnerability is a path traversal flaw and allows attackers to gain unauthorized access to corporate on-premise servers, leading to data theft and the deployment of Cl0p ransomware.  

SysAid is a widely used IT Service Management solution, providing businesses tools for managing various IT services. Microsoft has identified the threat actor behind the exploitation as Lace Tempest, also known as TA505. The threat actors leverage the zero-day by uploading a Web Application Resource (WAR) archive containing a webshell into the webroot of the SysAid Tomcat web service. This allows the threat actors to execute additional PowerShell scripts, load the GraceWire malware, and compromise legitimate processes (msiexec.exe, svchost.exe, and spoolsv.exe).  

After exfiltrating data, the threat actor attempts to erase their tracks by using a PowerShell script to delete activity logs. A patch for CVE-2023-47246 is available in the latest software update, version 23.3.36. We strongly recommend that all SysAid users update to this version immediately.  

 

 

avertium's recommendationS

  • According to SysAid, Microsoft Defender detects the components of this attack as the following threats:  
    • Trojan:Win32/TurtleLoader 
    • Backdoor:Win32/Clop 
    • Ransom:Win32/Clop 
  • SysAid users using a SysAid on prem server should take the following actions:  
    • Update SysAid Software: Switch to version 23.3.36 or later. 
    • Review: look over any credentials or other information that would have been available to someone with full access to your SysAid server and check any relevant activity logs for suspicious behavior. 
    • Server Exposure: Ensure the server is not exposed to the public internet. 
    • Conduct Assessment: there should be a thorough compromise assessment of your SysAid server to look for any indicators mentioned.  
  • SysAid also recommends that users look for unauthorized access attempts or suspicious file uploads within the webroot directory of the SysAid Tomcat web service.  

 

 

INDICATORS OF COMPROMISE (IoCs)

Hashes 

  • b5acf14cdac40be590318dee95425d0746e85b1b7b1cbd14da66f21f2522bf4d 

IP Addresses  

  • 81[.]19[.]138[.]52 
  • 45[.]182[.]189[.]100 
  • 179[.]60[.]150[.]34 
  • 45[.]155[.]37[.]105 

File Paths 

  • C:\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe 
  • C:\Program Files\SysAidServer\tomcat\webapps\usersfiles.war 
  • C:\Program Files\SysAidServer\tomcat\webapps\leave 

 

 

How Avertium is Protecting Our CUSTOMERS

  • Fusion MXDR for Microsoft combines Avertium's Fusion MXDR approach with Microsoft Security Solutions, creating the first MDR offering that integrates all aspects of security operations into an active and threat-informed XDR solution. Leveraging Microsoft's comprehensive and cost-effective technology, Fusion MXDR for Microsoft delivers a release of cyber energy, encompassing implementation, optimization, ongoing management, and tuning. 
  • Avertium offers Vulnerability Management (VM) to provide a deeper understanding and control over organizational information security risks.  If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap. 
  • Note: We highly value your feedback. Kindly spare a moment to complete our feedback form, allowing us to enhance our services for our valued customers. 

 

 

SUPPORTING DOCUMENTATION

CVE - CVE-2023-47246 (mitre.org) 

SysAid On-Prem Software CVE-2023-47246 Vulnerability – SysAid 

SysAid Zero-Day Vulnerability Exploited By Lace Tempest | Rapid7 Blog 

Microsoft: SysAid zero-day flaw exploited in Clop ransomware attacks (bleepingcomputer.com)