CVE-2023-47246: SysAid 0-Day Vulnerability

Late on November 8, 2023, SysAid announced they had evidence their product was being actively exploited via a 0-day vulnerability, now tracked as CVE-2023-47246.

SysAid is an IT Service Management system widely used by various enterprises.

On November 9, Microsoft confirmed the announcement, stating that they traced the exploit activity to an Initial Access Broker (IAB) group known as Lace Tempest, which is known to be closely associated with the Cl0p ransomware group.  Cl0p is the infamous ransomware gang known for their MOVEit Transfer exploit earlier this year.  

Per SysAid and Microsoft, this vulnerability is a previously unknown path traversal vulnerability that leads to code execution.  Successful exploitation led to the threat actor uploading a WAR archive file containing a webshell and other payloads which allowed them to gain full control of the system.

It should be noted that there is evidence of exploitation of this vulnerability as early as October 30.

Mitigation and Remediation

This vulnerability affects all on-premise SysAid servers.  The vendor has already released a fixed version, 23.3.36.  Download and installation instructions can be found here.  Administrators are urged to patch to the fixed version immediately.

BleepingComputer provided an excellent list of steps for administrators to take to check for signs of compromise:

1. Check the SysAid Tomcat webroot for unusual files, especially WAR, ZIP, or JSP files with anomalous timestamps.
2. Look for unauthorized WebShell files in the SysAid Tomcat service and inspect JSP files for malicious content
3. Review logs for unexpected child processes from Wrapper.exe, which may indicate WebShell use.
4. Check PowerShell logs for script executions that align with the attack patterns described.
5. Monitor key processes like spoolsv.exe, msiexec.exe, svchost.exe for signs of unauthorized code injection.
6. Apply provided IOCs to identify any signs of the vulnerability being exploited.
7. Search for evidence of specific attacker commands that indicate system compromise.
8. Run security scans for known malicious indicators related to the vulnerability.
9. Look for connections to the listed C2 IP addresses.
10. Check for signs of attacker-led cleanup to conceal their presence.

Elastic Security published 2 YARA rules to help with detection of compromise on vulnerable systems here and here.

A Velociraptor Artifact was created to hunt for post-exploitation activity, and can be found here.

Indicators of Compromise

b5acf14cdac40be590318dee95425d0746e85b1b7b1cbd14da66f21f2522bf4d - Malicious loader

81.19.138.52 - GraceWire Loader C2

45.182.189.100 - GraceWire Loader C2

179.60.150.34 - Cobalt Strike C2

45.155.37.105 - Meshagent remote admin tool C2

C:\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe

C:\Program Files\SysAidServer\tomcat\webapps\usersfiles.war

C:\Program Files\SysAidServer\tomcat\webapps\leave

References

• https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification 
• https://documentation.sysaid.com/docs/latest-version-installation-files 
• https://www.rapid7.com/blog/post/2023/11/09/etr-cve-2023-47246-sysaid-zero-day-vulnerability-exploited-by-lace-tempest/ 
• https://www.bleepingcomputer.com/news/security/microsoft-sysaid-zero-day-flaw-exploited-in-clop-ransomware-attacks/ 
• https://www.malwarebytes.com/blog/news/2023/11/update-now-sysaid-vulnerability-is-actively-being-exploited-by-ransomware-affiliate 
• https://docs.velociraptor.app/exchange/artifacts/pages/sysaid/ 
• https://twitter.com/dez_/status/1722358562163179592 
• https://github.com/elastic/protections-artifacts/blob/158b14a87c57fd491d6317f87bb2fb2ceeaee1e4/yara/rules/Windows_Trojan_HazelCobra.yar#L1 
• https://github.com/elastic/protections-artifacts/blob/158b14a87c57fd491d6317f87bb2fb2ceeaee1e4/yara/rules/Windows_Trojan_FlawedGrace.yar#L1