Last updated at Fri, 10 Nov 2023 19:25:41 GMT
On November 8, 2023, IT service management company SysAid disclosed CVE-2023-47426, a zero-day path traversal vulnerability affecting on-premise SysAid servers. According to Microsoft’s threat intelligence team, it has been exploited in the wild by DEV-0950 (Lace Tempest) in “limited attacks.” In a social media thread published the evening of November 8, Microsoft emphasized that Lace Tempest distributes the Cl0p ransomware, and that exploitation of CVE-2023-47246 is likely to result in ransomware deployment and/or data exfiltration. Lace Tempest is the same threat actor who perpetrated the MOVEit Transfer and GoAnywhere MFT extortion attacks earlier this year.
Note: Rapid7 is investigating evidence of compromise related to this vulnerability in at least one customer environment.
SysAid’s advisory on CVE-2023-47246 includes the results of an investigation by Profero, who discovered the vulnerability; the advisory says the attacker “uploaded a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service.” Post-exploitation behavior included deployment of MeshAgent remote administration tooling and GraceWire malware. There are extensive details about the attack chain in the vendor advisory, along with robust indicators of compromise. An employee of technology company Elastic also reported the evening of November 8 that Elastic had observed exploitation in the wild as far back as October 30.
SysAid’s website claims that the company has upwards of 5,000 customers, including a number of large corporations whose logos adorn SysAid’s customer page. Shodan searches for either a specific CSS file or the favicon both return only 416 instances of SysAid exposed to the public internet. (Note that “exposed” does not necessarily imply that those instances are vulnerable.)
CVE-2023-47246 is fixed in version 23.3.36 of SysAid server. Given the potential for ransomware and extortion attacks, organizations with on-premise SysAid servers should apply the vendor-supplied patches on an emergency basis, invoking incident response procedures if possible, and ensure the server is not exposed to the public internet. We also strongly recommend reviewing the indicators of compromise in SysAid’s advisory and examining environments for suspicious activity, though notably, the advisory says the adversaries may cover their tracks by cleaning up logs and artifacts on disk.
Indicators of compromise
SysAid has an extensive list of IOCs and observed attacker behavior in their advisory. Rather than reproducing that here, we urge organizations to use that vendor advisory as their starting source of truth for threat hunting: https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
Rapid7 has a Velociraptor artifact available to help organizations identify post-exploitation activity related to this zero-day vulnerability:
- Yara.Process: Targets observed malware and Cobalt Strike via process YARA
- Disk.Ntfs: Targets known disk IOCs via
- Forensic.Usn: Targets known disk IOCs via USN journal
- Evtx.Defender: Searches Defender event logs for evidence of associated alerts
- Evtx.NetworkIOC: Targets known strings of network IOCs in firewall, Sysmon and PowerShell logs
InsightVM and Nexpose customers can assess their exposure to CVE-2023-47246 with an authenticated Windows check available in today’s (November 9) content release.
InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on post-exploitation behavior related to this zero-day vulnerability:
- Attacker Technique - SpoolSV Spawns CMD or PowerShell
- Attacker Technique - Possible Process Injection
- Attacker Technique - PowerShell Download Cradles
- Attacker Tool - CobaltStrike PowerShell Commands
- Suspicious Network Connection - Destination Address in Cobalt Strike C2 List
November 9, 2023: Updated to note that Profero conducted the investigation that identified the zero-day vulnerability. Microsoft is credited with detecting exploitation in the wild.
Updated to note that Rapid7 is investigating evidence of compromise related to this vulnerability in at least one customer environment.