Tue, Nov 14, 2023
NOTE: This remains under active exploitation, and Kroll experts are investigating. If further details are uncovered by our team, updates will be made to the Kroll Cyber Risk blog.
SysAid, an IT service management software provider, has released a security bulletin for a zero-day path traversal vulnerability leading to code execution within their on-premise software. This vulnerability is being tracked as CVE-2023-47246 with a CVSS score of 9.8 and is actively being exploited. Impacted products include SysAid on-prem software, with any versions prior to 23.3.36 potentially affected. We recommend updating to version 23.3.36 immediately.
According to Microsoft’s threat intelligence team, this vulnerability has been exploited by a threat actor identified as Lace Tempest (TA505), which Kroll tracks as KTA080. KTA080 are collectively associated with deploying the CL0P ransomware.
Although this vulnerability has been used in limited attacks so far, there is potential that a wider exploitation will come soon before organizations can adequately patch the vulnerability. KTA080 actors have been known to develop zero-day exploits for significant periods of time before exploiting en masse.
In the cases seen in the SysAid zero-day attacks, the actors leveraged the victim’s IT support software to deliver the MeshAgent remote administration tool and the FLAWEDGRACE (GRACEWIRE) malware.
Microsoft further mentions, “This is typically followed by human-operated activity, including lateral movement, data theft, and ransomware deployment.”
Upon reviewing the security bulletin from SysAid and the statements issued by Microsoft, it seems that CL0P ransomware is reverting to previously employed tactics, techniques and procedures (TTPs) of deployed ransomware and encrypting for impact, rather than pure data theft and extortion.
Following the initial compromise, the actors cleaned up payloads used to establish an initial foothold on the infected servers, including using PowerShell scripts.
Evidence of the following commands being run on SysAid servers indicates successful exploitation:
Kroll has pushed out indicators of compromise (IOCs) to our detection technologies via threat intelligence feeds. Notably, the COBALTSTRIKE command and control server used in the intrusion shared by SysAid has been under active tracking in the Kroll threat intelligence database since June 2022.
Kroll’s Cyber Threat Intelligence (CTI) team has assessed the TTPs used by CL0P operators in these attacks and is confident in detection coverage of the stated post compromise activity, specifically relating to the COBALTSTRIKE deployment and PowerShell use. Detections are currently under scoping for initial compromise activity.
Below are some key recommendations from Kroll’s CTI team:
Filename | Sha256 | Comment |
---|---|---|
user.exe | b5acf14cdac40be590318dee95425d0746e85b1b7b1cbd14da66f21f2522bf4d | Malicious loader |
IP | Comment |
---|---|
81.19.138[.]52 | GRACEWIRE Loader C2 |
45.182.189[.]100 | GRACEWIRE Loader C2 |
179.60.150[.]34 | COBALTSTRIKE C2 |
45.155.37[.]105 | Meshagent remote admin tool C2 |
Path | Comment |
---|---|
C:\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe | GRACEWIRE |
C:\Program Files\SysAidServer\tomcat\webapps\usersfiles.war | Archive of WebShells and tools used by the attacker |
C:\Program Files\SysAidServer\tomcat\webapps\leave | Used as a flag for the attacker scripts during execution |
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Threat intelligence are fueled by frontline incident response intel and elite analysts to effectively hunt and respond to threats.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.
Kroll’s Malware Analysis and Reverse Engineering team draws from decades of private and public-sector experience, across all industries, to deliver actionable findings through in-depth technical analysis of benign and malicious code.
Our expertise allows us to identify and analyze the scope and intent of advanced persistent threats to launch a targeted and effective response.