The Zero-Day Vulnerability in SysAid: CVE-2023-47246

In November 2023, cybersecurity experts at Microsoft uncovered a critical zero-day vulnerability within SysAid's on-premises IT service management systems. Designated as CVE-2023-47246, this security flaw has become a target for exploitation by the notorious threat group known as Lace Tempest. The group capitalized on this weakness to upload a webshell, facilitating unauthorized system access and code execution.

The vulnerability, a path traversal flaw, allows attackers to bypass file directory structures and manipulate files—a type of security issue commonly associated with broken access control and injection attacks, as outlined in the OWASP Top 10 list of critical web application security risks.

Lace Tempest's strategy involved exploiting the webroot of the SysAid Tomcat web service to inject the malicious webshell. Subsequent steps included deploying the GraceWire trojan via a malicious loader and concealing traces of the intrusion while setting up a Cobalt Strike listener for ongoing surveillance of the compromised system. This pattern of behavior is indicative of a setup for further malicious activities, including data theft and ransomware deployment.

SysAid has identified the threat as significant for all customers using on-premises installations and has released version 23.3.36 to address this critical security gap.

Protection Measures Against CVE-2023-47246

To counteract the risks posed by CVE-2023-47246, SysAid, in collaboration with cybersecurity firm Profero, has outlined a series of mitigation strategies:

1. Immediate Update: Users of SysAid's on-prem servers should promptly upgrade to version 23.3.36, which includes the necessary security patch.

2. Compromise Assessment: Organizations are urged to investigate any potential compromises by examining their SysAid servers for indicators of compromise (IOCs), unusual access patterns, and anomalies in server logs.

Key areas of focus should include:

- Unauthorized actions within the SysAid Tomcat service.
- Files in the webroot directory that do not correspond with installation dates.
- Deployment of WebShells within the Tomcat service that appear unauthorized or suspicious.
- Abnormal execution of PowerShell scripts.
- Unexpected activities related to the three processes targeted by the attacker: spoolsv.exe, msiexec.exe, and svchost.exe.
- Evidence of cleanup efforts by the attacker following initial system access.
- Exposure of sensitive credentials and data via the compromised system.

Furthermore, organizations should familiarize themselves with the specific threat actor's identifiers, including known file paths, IP addresses, command patterns, and hash values.

Microsoft Defender offers antivirus detection capabilities for three associated threats:

- Trojan:Win32/TurtleLoader
- Backdoor:Win32/Clop
- Ransom:Win32/Clop

By adhering to these guidelines, SysAid users can fortify their defenses against the Lace Tempest group and safeguard their systems against potential breaches and ransomware attacks.