Clop ransomware operators exploit SysAid zero-day vulnerability

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Intelligence indicates that Clop ransomware operators have initiated an attack campaign involving the exploitation of the recently disclosed SysAid zero-day vulnerability tracked as CVE-2023-47246. It has been assessed that the operation has almost certainly been conducted with the objective of data exfiltration and ransomware deployment. CVE-2023-47246 is classified as a path traversal vulnerability that allows for remote code execution (RCE).

Exploitation by the Clop ransomware operators has involved the upload of a malicious webshell, known as WAR (Web Application Resource) into the webroot of the SysAid Tomcat web service. This allowed the threat actors to execute PowerShell scripts resulting in the installation of GraceWire malware. Additional scripts were also detected that were responsible for the establishment of command-and-control (C2) infrastructure via Cobalt Strike beaconing.

Impact

Successful exploitation of CVE-2023-47246 would almost certainly allow threat actors to execute remote code on vulnerable systems, resulting in the compromise of data integrity in the first instance.

Vulnerability Detection

A security patch has been released by SysAid. As such, previous product versions remain vulnerable to potential exploitation.

Affected Products

SysAid On-Prem serve.

Containment, Mitigations & Remediations

It is strongly recommended that all SysAid users update to version 23.3.36 or later. Additionally, system administrators should also follow the recommended mitigation steps outlined below:

Check the SysAid Tomcat webroot for unusual files, with an emphasis on WAR, ZIP, or JSP files

Check for unauthorised WebShell files in the SysAid Tomcat service and inspect JSP files for malicious content

Review logs for unexpected child processes from Wrapper.exe

Check PowerShell logs for script executions that align with the disclosed attack patterns

Monitor key processes such as spoolsv.exe, msiexec.exe and svchost.exe for markers of code injection

Apply the disclosed Indicators of Compromise (IoCs) to identify potential exploitation

Search for evidence of specific threat actor commands

Scan for known malicious indicators related to the vulnerability

Check for connections regarding the disclosed C2 infrastructure

Check for evidence of threat actors potentially clearing tracks.

Indicators of Compromise

A comprehensive list of IoCs can be found within the SysAid disclosure.

Threat Landscape

SysAid occupies a significant portion of the IT management software market share. The related products are used extensively by organisations across the industry sector spectrum. Within this context, it has been assessed that cyber threat actors will almost certainly view organisations with operational protocols involving these products as prime targets as they seek to meet their pre-defined objectives.

Intelligence indicates that CVE-2023-47246 has been exploited by Clop ransomware operators tracked as ‘Lace Tempest’ (also known as FIN11 and TA505). Operations involving the deployment of Clop ransomware are notorious for exploiting zero-day security flaws, as shown by the MOVEit Transfer and GoAnywhere MFT platform compromises detected throughout Q1-Q2 of 2023.

Threat Group

Intelligence indicates that CVE-2023-47246 has been exploited by Clop ransomware operators tracked as ‘Lace Tempest’ (also known as FIN11 and TA505).

Mitre Methodologies

Tactic:

TA0002– Execution

Common Weakness Enumeration (CWE):

CWE-23 – Relative Path Traversal

Further Information

SysAid Report

Quorum Cyber Threat Intelligence Clop Ransomware Report