Pierluigi Paganini November 10, 2023
Microsoft reported the exploitation of a zero-day vulnerability, tracked as CVE-2023-47246, in the SysAid IT support software in limited attacks.
The IT giant linked the attacks to the Clop ransomware gang (aka Lace Tempest). The company reported the flaw to the software vendor which quickly fixed it.
The Lace Tempest operators exploited the vulnerability to issue commands via the SysAid software to deliver a loader for the Gracewire malware (aka FlawedGrace). The malware enabled human-operated activity, including lateral movement, data theft, and ransomware deployment.
SysAid reported that on November 2nd, its security team became aware of a potential vulnerability in its on-premise software. The software firm engaged the cybersecurity firm Profero to investigate the issue. Profero determined that the software was affected by a zero-day vulnerability.
“The investigation identified a previously unknown path traversal vulnerability leading to code execution within the SysAid on-prem software.” reads the report published by Profero. “The vulnerability was exploited by a group known as DEV-0950 (Lace Tempest), as identified by the Microsoft Threat Intelligence team. The attacker uploaded a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service.” “The WebShell provided the attacker with unauthorized access and control over the affected system. Subsequently, the attacker utilized a PowerShell script, deployed through the WebShell, to execute a malware loader named user.exe on the compromised host, which was used to load the GraceWire trojan.”
Rapid7 researchers reported that Shodan searches for either a specific CSS file or the favicon both return only 416 instances of SysAid exposed to the public internet. (Note that “exposed” does not necessarily imply that those instances are vulnerable.).
SysAid addressed the flaw with the release of version 23.3.36 on November 8.
Below are the recommendations provided by the software vendor to its customers:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, zero-day)