Tue, Nov 14, 2023

CVE-2023-47246: SysAid On-Prem Software Zero-Day Vulnerability Exploited by CL0P Ransomware Group

NOTE: This remains under active exploitation, and Kroll experts are investigating. If further details are uncovered by our team, updates will be made to the Kroll Cyber Risk blog.

SysAid, an IT service management software provider, has released a security bulletin for a zero-day path traversal vulnerability leading to code execution within their on-premise software. This vulnerability is being tracked as CVE-2023-47246 with a CVSS score of 9.8 and is actively being exploited. Impacted products include SysAid on-prem software, with any versions prior to 23.3.36 potentially affected. We recommend updating to version 23.3.36 immediately.

According to Microsoft’s threat intelligence team, this vulnerability has been exploited by a threat actor identified as Lace Tempest (TA505), which Kroll tracks as KTA080. KTA080 are collectively associated with deploying the CL0P ransomware.

Although this vulnerability has been used in limited attacks so far, there is potential that a wider exploitation will come soon before organizations can adequately patch the vulnerability. KTA080 actors have been known to develop zero-day exploits for significant periods of time before exploiting en masse.

In the cases seen in the SysAid zero-day attacks, the actors leveraged the victim’s IT support software to deliver the MeshAgent remote administration tool and the FLAWEDGRACE (GRACEWIRE) malware.

Microsoft further mentions, “This is typically followed by human-operated activity, including lateral movement, data theft, and ransomware deployment.”

Upon reviewing the security bulletin from SysAid and the statements issued by Microsoft, it seems that CL0P ransomware is reverting to previously employed tactics, techniques and procedures (TTPs) of deployed ransomware and encrypting for impact, rather than pure data theft and extortion.

Following the initial compromise, the actors cleaned up payloads used to establish an initial foothold on the infected servers, including using PowerShell scripts.

Evidence of the following commands being run on SysAid servers indicates successful exploitation:

  • Remove-Item -Path “$tomcat_dir\webapps\usersfiles\leave”.
  • Remove-Item -Force “$wapps\usersfiles.war”.
  • Remove-Item -Force “$wapps\usersfiles\user.*”.
  • & “$wapps\usersfiles\user.exe”.

Kroll has pushed out indicators of compromise (IOCs) to our detection technologies via threat intelligence feeds. Notably, the COBALTSTRIKE command and control server used in the intrusion shared by SysAid has been under active tracking in the Kroll threat intelligence database since June 2022.

Kroll’s Cyber Threat Intelligence (CTI) team has assessed the TTPs used by CL0P operators in these attacks and is confident in detection coverage of the stated post compromise activity, specifically relating to the COBALTSTRIKE deployment and PowerShell use. Detections are currently under scoping for initial compromise activity.

Below are some key recommendations from Kroll’s CTI team:

  • Ensure that your SysAid systems are updated to version 23.3.36, which includes the patches for the identified vulnerability.
  • Conduct a thorough compromise assessment of your SysAid server to look for any indicators mentioned.
  • Review any credentials or other information that would have been available to someone with full access to your SysAid server. Check any relevant activity logs for suspicious behavior.

IOCs:

Filename
Sha256
Comment

user.exe

b5acf14cdac40be590318dee95425d0746e85b1b7b1cbd14da66f21f2522bf4d

Malicious loader

IP
Comment

81.19.138[.]52

GRACEWIRE Loader C2

45.182.189[.]100

GRACEWIRE Loader C2

179.60.150[.]34

COBALTSTRIKE C2

45.155.37[.]105

Meshagent remote admin tool C2

Path
Comment

C:\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe

GRACEWIRE

C:\Program Files\SysAidServer\tomcat\webapps\usersfiles.war

Archive of WebShells and tools used by the attacker

C:\Program Files\SysAidServer\tomcat\webapps\leave

Used as a flag for the attacker scripts during execution


Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Cyber Threat Intelligence

Threat intelligence are fueled by frontline incident response intel and elite analysts to effectively hunt and respond to threats.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.


Kroll Responder MDR

Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.

Malware Analysis and Reverse Engineering

Kroll’s Malware Analysis and Reverse Engineering team draws from decades of private and public-sector experience, across all industries, to deliver actionable findings through in-depth technical analysis of benign and malicious code.

Malware and Advanced Persistent Threat Detection

Our expertise allows us to identify and analyze the scope and intent of advanced persistent threats to launch a targeted and effective response.