Get in Touch
Indiscriminate, opportunistic targeting.
Intelligence indicates that Clop ransomware operators have initiated an attack campaign involving the exploitation of the recently disclosed SysAid zero-day vulnerability tracked as CVE-2023-47246. It has been assessed that the operation has almost certainly been conducted with the objective of data exfiltration and ransomware deployment. CVE-2023-47246 is classified as a path traversal vulnerability that allows for remote code execution (RCE).
Exploitation by the Clop ransomware operators has involved the upload of a malicious webshell, known as WAR (Web Application Resource) into the webroot of the SysAid Tomcat web service. This allowed the threat actors to execute PowerShell scripts resulting in the installation of GraceWire malware. Additional scripts were also detected that were responsible for the establishment of command-and-control (C2) infrastructure via Cobalt Strike beaconing.
Successful exploitation of CVE-2023-47246 would almost certainly allow threat actors to execute remote code on vulnerable systems, resulting in the compromise of data integrity in the first instance.
A security patch has been released by SysAid. As such, previous product versions remain vulnerable to potential exploitation.
SysAid On-Prem serve.
Containment, Mitigations & Remediations
It is strongly recommended that all SysAid users update to version 23.3.36 or later. Additionally, system administrators should also follow the recommended mitigation steps outlined below:
Check the SysAid Tomcat webroot for unusual files, with an emphasis on WAR, ZIP, or JSP files
Check for unauthorised WebShell files in the SysAid Tomcat service and inspect JSP files for malicious content
Review logs for unexpected child processes from Wrapper.exe
Check PowerShell logs for script executions that align with the disclosed attack patterns
Monitor key processes such as spoolsv.exe, msiexec.exe and svchost.exe for markers of code injection
Apply the disclosed Indicators of Compromise (IoCs) to identify potential exploitation
Search for evidence of specific threat actor commands
Scan for known malicious indicators related to the vulnerability
Check for connections regarding the disclosed C2 infrastructure
Check for evidence of threat actors potentially clearing tracks.
Indicators of Compromise
A comprehensive list of IoCs can be found within the SysAid disclosure.
SysAid occupies a significant portion of the IT management software market share. The related products are used extensively by organisations across the industry sector spectrum. Within this context, it has been assessed that cyber threat actors will almost certainly view organisations with operational protocols involving these products as prime targets as they seek to meet their pre-defined objectives.
Intelligence indicates that CVE-2023-47246 has been exploited by Clop ransomware operators tracked as ‘Lace Tempest’ (also known as FIN11 and TA505). Operations involving the deployment of Clop ransomware are notorious for exploiting zero-day security flaws, as shown by the MOVEit Transfer and GoAnywhere MFT platform compromises detected throughout Q1-Q2 of 2023.
Intelligence indicates that CVE-2023-47246 has been exploited by Clop ransomware operators tracked as ‘Lace Tempest’ (also known as FIN11 and TA505).
Common Weakness Enumeration (CWE):
CWE-23 – Relative Path Traversal