NOTE: This remains under active exploitation, and Kroll experts are investigating. If further details are uncovered by our team, updates will be made to the Kroll Cyber Risk blog.
SysAid, an IT service management software provider, has released a security bulletin for a zero-day path traversal vulnerability leading to code execution within their on-premise software. This vulnerability is being tracked as CVE-2023-47246 with a CVSS score of 9.8 and is actively being exploited. Impacted products include SysAid on-prem software, with any versions prior to 23.3.36 potentially affected. We recommend updating to version 23.3.36 immediately.
According to Microsoft’s threat intelligence team, this vulnerability has been exploited by a threat actor identified as Lace Tempest (TA505), which Kroll tracks as KTA080. KTA080 are collectively associated with deploying the CL0P ransomware.
Although this vulnerability has been used in limited attacks so far, there is potential that a wider exploitation will come soon before organizations can adequately patch the vulnerability. KTA080 actors have been known to develop zero-day exploits for significant periods of time before exploiting en masse.
In the cases seen in the SysAid zero-day attacks, the actors leveraged the victim’s IT support software to deliver the MeshAgent remote administration tool and the FLAWEDGRACE (GRACEWIRE) malware.
Microsoft further mentions, “This is typically followed by human-operated activity, including lateral movement, data theft, and ransomware deployment.”
Upon reviewing the security bulletin from SysAid and the statements issued by Microsoft, it seems that CL0P ransomware is reverting to previously employed tactics, techniques and procedures (TTPs) of deployed ransomware and encrypting for impact, rather than pure data theft and extortion.
Following the initial compromise, the actors cleaned up payloads used to establish an initial foothold on the infected servers, including using PowerShell scripts.
Evidence of the following commands being run on SysAid servers indicates successful exploitation:
- Remove-Item -Path “$tomcat_dir\webapps\usersfiles\leave”.
- Remove-Item -Force “$wapps\usersfiles.war”.
- Remove-Item -Force “$wapps\usersfiles\user.*”.
- & “$wapps\usersfiles\user.exe”.
Kroll has pushed out indicators of compromise (IOCs) to our detection technologies via threat intelligence feeds. Notably, the COBALTSTRIKE command and control server used in the intrusion shared by SysAid has been under active tracking in the Kroll threat intelligence database since June 2022.
Kroll’s Cyber Threat Intelligence (CTI) team has assessed the TTPs used by CL0P operators in these attacks and is confident in detection coverage of the stated post compromise activity, specifically relating to the COBALTSTRIKE deployment and PowerShell use. Detections are currently under scoping for initial compromise activity.
Below are some key recommendations from Kroll’s CTI team:
- Ensure that your SysAid systems are updated to version 23.3.36, which includes the patches for the identified vulnerability.
- Conduct a thorough compromise assessment of your SysAid server to look for any indicators mentioned.
- Review any credentials or other information that would have been available to someone with full access to your SysAid server. Check any relevant activity logs for suspicious behavior.
