Contents:
Threat actors are gaining access to business systems in order to steal data and install the ransomware Clop by making use of a zero-day vulnerability in the service management software SysAid.
SysAid is an IT Service Management (ITSM) solution that provides a whole suite of tools for controlling different IT services inside an organization.
Currently known as CVE-2023-47246, the vulnerability was discovered on November 2 by the Microsoft Threat Intelligence team after threat actors exploited it to breach on-premise SysAid servers and quickly alerted the company.
Microsoft discovered that Lace Tempest, also known as Fin11 and TA505, was the threat actor who used the vulnerability to spread the Clop ransomware.
Microsoft has discovered exploitation of a 0-day vulnerability in the SysAid IT support software in limited attacks by Lace Tempest, a threat actor that distributes Clop ransomware. Microsoft notified SysAid about the issue (CVE-2023-47246), which they immediately patched.
— Microsoft Threat Intelligence (@MsftSecIntel) November 9, 2023
Details on the Attack
In a report released on Wednesday, SysAid revealed that CVE-2023-47246 is a path traversal vulnerability that might result in unauthorised code execution. The business also releases the technical information about the attack that was discovered after Profero, a fast incident response company, conducted an investigation.
The threat actor uploaded a WAR (Web Application Resource) file containing a webshell into the webroot of the SysAid Tomcat web service by taking advantage of a zero-day vulnerability.
This gave threat actors the possibility to execute additional PowerShell scripts and load another malware, GraceWire, which was injected into a legitimate process (e.g. svchost.exe, spoolsv.exe, msiexec.exe)
The Malware Loader Code (Source)
Following the data exfiltration, the threat actor attempted to hide their identity by deleting activity logs with a different PowerShell script.
Additionally, Microsoft discovered that on compromised hosts, Lace Tempest had installed extra scripts that retrieved a Cobalt Strike listener.
PS Script to Erase Attack Traces (Source)
Security Update Already Available
SysAid promptly developed a patch for CVE-2023-47246 after discovering the vulnerability, and it is now available as part of a software update. It is highly advised that all SysAid users update to version 23.3.36 or above.
Additionally, sysadmins are recommended to also check servers for signs of compromise by following these steps:
- Check the SysAid Tomcat webroot for unusual files, especially WAR, ZIP, or JSP files with anomalous timestamps.
- Look for unauthorized WebShell files in the SysAid Tomcat service and inspect JSP files for malicious content.
- Review logs for unexpected child processes from Wrapper.exe, which may indicate WebShell use.
- Check PowerShell logs for script executions that align with the attack patterns described.
- Monitor key processes like spoolsv.exe, msiexec.exe, svchost.exe for signs of unauthorized code injection.
- Apply provided IOCs to identify any signs of the vulnerability being exploited.
- Search for evidence of specific attacker commands that indicate system compromise.
- Run security scans for known malicious indicators related to the vulnerability.
- Look for connections to the listed C2 IP addresses.
- Check for signs of attacker-led cleanup to conceal their presence.
For more details, you can check SysAid’s report which provides indicators of compromise such as filenames and hashes, IP addresses, file paths used in the attack, and instructions used by the threat actor to either download malware or remove proof of initial access. These indicators may be useful in identifying or preventing the intrusion.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube for more cybersecurity news and topics.