SysAid [1] [2] [3] [4] [5] [6] [7] [8] [9], an IT automation and asset management software provider [8] [9], has recently alerted its customers to a critical vulnerability (CVE-2023-47246) in its on-premise software [8] [9]. This vulnerability allows unauthorized access and control over affected systems [1] [4].
Description
Discovered on November 2, 2023, this vulnerability has been exploited by the hacker group known as Lace Tempest or TA505 “Lace Tempest”. They used it to deploy a malware loader and inject the GraceWire trojan [6]. The vulnerability is a path traversal issue that enables code execution within the SysAid software [7]. Attackers can upload and access webshells and other payloads in the webroot directory of the SysAid Apache Tomcat web server [7].
Microsoft Threat Intelligence researchers have identified Lace Tempest as the group responsible for exploiting this vulnerability [9]. It is worth noting that Lace Tempest had previously targeted the MoveIT Transfer vulnerability [9]. Microsoft promptly reported the exploitation to SysAid, who responded by releasing a fixed version of their software (version 23.3.36).
To mitigate the risk [6], organizations using SysAid On-Premises installations running versions before 23.3.36 are advised to upgrade to the latest version [5]. It is important for these organizations to search for indicators of compromise, monitor for signs of intrusion [5] [6], analyze PowerShell execution logs [6], and take proactive steps to secure their installations [1]. Lace Tempest may exfiltrate data and deploy Clop ransomware [1], underscoring the significance of incident response and mitigation efforts.
Conclusion
This incident highlights the risks associated with cybersecurity incidents and emphasizes the importance of incident response and mitigation efforts. Organizations must take immediate action to upgrade their SysAid On-Premises installations and implement proactive security measures to protect against potential data exfiltration and ransomware attacks in the future.
References
[1] https://www.techtarget.com/searchSecurity/news/366558920/Lace-Tempest-exploits-SysAid-zero-day-vulnerability
[2] https://www.darkreading.com/attacks-breaches/moveit-hackers-sysaid-zero-day-ransomware
[3] https://allinfosecnews.com/item/path-traversal-leading-to-compromise-sysaid-on-prem-software-cve-2023-47246-vulnerability-2023-11-09–1/
[4] https://www.helpnetsecurity.com/2023/11/09/exploited-cve-2023-47246/
[5] https://www.malwarebytes.com/blog/news/2023/11/update-now-sysaid-vulnerability-is-actively-being-exploited-by-ransomware-affiliate
[6] https://securityonline.info/cve-2023-47246-zero-day-vulnerability-in-sysaid-on-prem-software/
[7] https://www.huntress.com/blog/critical-vulnerability-sysaid-cve-2023-47246
[8] https://duo.com/decipher/lace-tempest-seen-exploiting-sysaid-zero-day
[9] https://allinfosecnews.com/item/lace-tempest-seen-exploiting-sysaid-zero-day-2023-11-09/