Threat actors have exploited a zero-day vulnerability in SysAid, a leading IT Service Management (ITSM) solution, to compromise corporate servers for data theft and deploy the notorious Clop ransomware. This breach, identified as CVE-2023-47246, highlights the increasing sophistication of cyber threats and the urgency for organizations to secure their IT infrastructure.
What Is SysAid?
SysAid is a comprehensive ITSM solution offering a suite of tools for managing various IT services within an organization. Unfortunately, the platform fell victim to a path traversal vulnerability, allowing threat actors to execute unauthorized code and compromise on-premise SysAid servers.
CVE-2023-47246: Attack Details and Techniques
The vulnerability, discovered on November 2, was promptly identified as CVE-2023-47246. The Microsoft Threat Intelligence team, tracking the threat actor as Lace Tempest (a.k.a. Fin11 and TA505), revealed that the attackers deployed Clop ransomware after exploiting the zero-day flaw.
SysAid published a detailed report outlining the attack, explaining that the threat actor utilized the vulnerability to upload a Web Application Resource (WAR) archive containing a webshell into the SysAid Tomcat web service. This allowed the execution of additional PowerShell scripts and the injection of the GraceWire malware into legitimate processes.
The attack also included measures to erase tracks, such as deleting activity logs using PowerShell scripts. Lace Tempest went further by deploying scripts fetching a Cobalt Strike listener on compromised hosts.
Security Update and Recommendations
SysAid responded swiftly to the breach, developing a patch for CVE-2023-47246. The patch is included in the latest software update, and all SysAid users are strongly urged to upgrade to version 23.3.36 or later.
To mitigate risks and detect potential compromises, system administrators are advised to follow a series of steps outlined by SysAid. These include checking for unusual files in the SysAid Tomcat webroot, inspecting for unauthorized WebShell files, reviewing logs for unexpected processes, and applying provided indicators of compromise (IOCs).
Conclusion
The SysAid zero-day vulnerability exploited by Clop ransomware serves as a stark reminder of the ever-evolving cyber threat landscape.
Organizations must prioritize cybersecurity, promptly applying patches, and following best practices to safeguard their IT infrastructure against relentless and sophisticated threat actors. As the digital landscape continues to evolve, proactive measures are essential to stay one step ahead of those seeking to exploit vulnerabilities for malicious purposes.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: