November 9, 2023 at 09:33AM
Threat actors are exploiting a zero-day vulnerability in SysAid software to gain unauthorized access to corporate servers for data theft and ransomware deployment. The vulnerability, currently known as CVE-2023-47246, was used by a threat actor group called Lace Tempest to deploy Clop ransomware. SysAid has developed a patch and urges users to update their software to protect against this vulnerability. System administrators should also check for signs of compromise and follow provided indicators of compromise to detect and prevent intrusion.
Summary of Meeting Notes:
– Threat actors are using a zero-day vulnerability in SysAid to gain access to corporate servers for data theft and to deploy Clop ransomware.
– SysAid is a comprehensive IT Service Management (ITSM) solution.
– The Clop ransomware is known for exploiting zero-day vulnerabilities in widely used software.
– The vulnerability, identified as CVE-2023-47246, was discovered on November 2 after hackers exploited it to breach on-premise SysAid servers.
– Microsoft’s Threat Intelligence team discovered the vulnerability and informed SysAid. They traced the threat actor responsible for deploying Clop ransomware as Lace Tempest (also known as Fin11 and TA505).
– SysAid published a report disclosing that CVE-2023-47246 is a path traversal vulnerability that allows unauthorized code execution. An investigation by Profero revealed technical details of the attack.
– The threat actor uploaded a webshell into the webroot of the SysAid Tomcat web service using the zero-day flaw. This allowed them to execute PowerShell scripts and load the GraceWire malware into legitimate processes (e.g. spoolsv.exe, msiexec.exe, svchost.exe).
– The threat actor attempted to erase their tracks by using another PowerShell script to delete activity logs.
– Lace Tempest also deployed additional scripts that fetched a Cobalt Strike listener on compromised hosts.
– SysAid has developed a patch for CVE-2023-47246 and all users are recommended to upgrade to version 23.3.36 or later.
– System administrators should check servers for signs of compromise by following the steps provided, including looking for unusual files, unauthorized WebShell files, inspecting JSP files, reviewing logs, and running security scans.
– SysAid’s report provides indicators of compromise that can help detect or prevent the intrusion, including filenames and hashes, IP addresses, file paths, and attacker commands used in the attack.