Microsoft SysAid Zero-Day Flaw

Microsoft SysAid Zero-Day Flaw: Clop Ransomware Attacks Exploited

Knowing how potential threats and vulnerabilities can impact your organization is important as an IT professional. Recently, cybercriminals have exploited a zero-day vulnerability in SysAid, a widely used service management software. This vulnerability allows unauthorized access to corporate servers, leading to data theft and the deployment of the notorious Clop ransomware.

SysAid, a comprehensive IT service management solution that provides various tools for managing IT services, has become the latest target for the Clop ransomware group. Known for exploiting zero-day vulnerabilities in software such as MOVEit Transfer, GoAnywhere MFT, and Accellion FTA, the group continues to pose a serious threat. Microsoft’s Threat Intelligence team discovered the vulnerability, CVE-2023-47246, being used in the wild and took action to alert SysAid of the issue.

Key Takeaways

• Cybercriminals exploit SysAid zero-day vulnerability for unauthorized server access.
• Clop ransomware group continues its pattern of targeting widely used software.
• Microsoft Threat Intelligence identifies and alerts SysAid to ongoing attacks.

Attack Details

SysAid recently disclosed a path traversal vulnerability (CVE-2023-47246) that allowed unauthorized code execution. The threat actor took advantage of this zero-day flaw to upload a Web Application Resource (WAR) archive containing a webshell into the webroot of SysAid’s Tomcat web service.

Once the webshell was in place, the attackers executed additional PowerShell scripts and loaded the GraceWire malware. The malware was then injected into legitimate processes, like spoolsv.exe, msiexec.exe, and svchost.exe. Interestingly, the malware loader (‘user.exe’) specifically checks for the absence of Sophos security products on the compromised system.

Following data exfiltration, the threat actor attempted to cover their tracks by utilizing a PowerShell script that deleted traces of their activity logs.

Moreover, Microsoft identified Lace Tempest deploying extra scripts that fetched a Cobalt Strike listener on the compromised hosts. The nature of these attacks demonstrates a highly sophisticated and carefully executed operation, making it crucial for organizations to regularly update and secure their systems to stay protected against such threats.

Security Update Available

After becoming aware of the vulnerability, SysAid quickly developed a patch for CVE-2023-47246, now available in a software update. All SysAid users are strongly advised to upgrade to version 23.3.36 or later.

As a system administrator, you should also examine servers for signs of compromise by performing the following steps:

• Inspect the SysAid Tomcat webroot for unusual files, particularly WAR, ZIP, or JSP files with unexpected timestamps.
• Search for unauthorized WebShell files in the SysAid Tomcat service and scrutinize JSP files for harmful content.
• Review logs for unexpected child processes stemming from Wrapper.exe, which could hint at WebShell usage.
• Examine PowerShell logs for script executions matching the described attack patterns.
• Keep an eye on key processes like spoolsv.exe, msiexec.exe, svchost.exe for indications of unauthorized code injection.
• Utilize provided IOCs to identify any signs of the vulnerability being exploited.
• Look for evidence of specific attacker commands that suggest system compromise.
• Conduct security scans for known malicious indicators associated with the vulnerability.
• Check for connections to the specified C2 IP addresses.
• Search for indications of attacker-driven cleanup efforts to hide their activities.

SysAid has offered indicators of compromise that may assist in detecting or thwarting the intrusion, including filenames and hashes, IP addresses, file paths utilized in the attack, and commands employed by the threat actor to download malware or erase evidence of initial access.