SysAid has launched a comprehensive patch for a critical zero-day flaw after attackers have compromised several corporate servers using this vulnerability. The affected application, which facilitates a multifaceted approach to IT service management (ITSM), fell prey to the notorious Clop ransomware group known for exploiting such vulnerabilities in software to mount its attacks. The particular vulnerability, tracked as CVE-2023-47246, was discovered on November 2, as the Microsoft Threat Intelligence team identified its exploitation and swiftly reported it to SysAid.
Microsoft has discovered exploitation of a 0-day vulnerability in the SysAid IT support software in limited attacks by Lace Tempest, a threat actor that distributes Clop ransomware. Microsoft notified SysAid about the issue (CVE-2023-47246), which they immediately patched.
— Microsoft Threat Intelligence (@MsftSecIntel) November 9, 2023
Details of the Exploitation and Response
Microsoft has identified the threat actor behind these attacks as Lace Tempest, also known as Fin11 and TA505, which has been deploying the Clop ransomware. The attack vector was a path traversal flaw within SysAid that eventually led to unauthorized code execution on the compromised systems. Attackers used this to upload a WAR archive into the service's webroot, which contained a webshell and allowed further malicious activity.
The adversary then executed additional PowerShell scripts that deployed GraceWire malware by cloaking it within legitimate processes such as spoolsv.exe, msiexec.exe, and svchost.exe. Interestingly, their malware loader, dubbed ‘user.exe', actively checked whether Sophos security products were running on the victim's system, presumably to avoid detection.
Subsequent stages of the attack involved data exfiltration, execution of another script to delete activity logs, and deployment of additional scripts to establish a Cobalt Strike listener on the compromised hosts, thereby enhancing the control of the attackers over the infected systems.
You may be familiar with Lace Tempest as the group was also behind the breach against file transfer firm MOVEit in August. That breach then led to further breaches, including a French employment firm that same month.
Recommendations and Mitigation Strategies
Following the revelation of the attack, SysAid responded by developing and releasing a patch to mitigate the vulnerability; they have urged users to update to version 23.3.36 or later. The company also published a detailed report, in collaboration with the rapid incident response team from Profero, which offered insights into technical aspects of the breach and steps to identify signs of compromise.
System administrators are advised to take vigilant measures, such as scrutinizing the SysAid Tomcat webroot for unusual files, examining WebShell files for malicious content, inspecting JSP files, reviewing logs for abnormal processes, and monitoring PowerShell logs and key processes for indicators of the exploit. The application of provided Indicators of Compromise (IOCs) should aid in the identification of any signs of exploitation, and the execution of security scans for known malicious indicators is recommended.
SysAid is advocating for a robust review of server systems, hunting for specific attacker commands, and checking for any network connections to known command-and-control (C2) IP addresses. The goal is to detect and eliminate any trace of the attackers or the ransomware and prevent further security breaches.
