SysAid Zero-Day Flaw Exploited in Clop Ransomware Attacks

The attackers, using the alias DEV-0950 (Lace Tempest), exploited a path traversal vulnerability in the SysAid on-premises software. The attackers uploaded a WebShell and other payloads into the webroot directory of the SysAid Tomcat web service, gaining unauthorized access and control over the affected system. The PowerShell scripts were then employed to execute a malware loader named user.exe, which, in turn, loaded the GraceWire trojan into critical system processes. The attackers also utilized a second PowerShell script to erase any evidence of their actions from both the disk and the SysAid on-prem server web logs.

The attackers' techniques included deploying a CobaltStrike agent and employing various PowerShell scripts for malicious activities, such as launching a malware loader and erasing evidence from victim servers. The post-compromise cleanup involved removing the deployed payloads and associated files.

SysAid responded promptly to the discovery of the CVE-2023-47246 vulnerability, collaborating with cybersecurity experts to investigate and address the issue. The attackers, identified as DEV-0950 (Lace Tempest), exploited this zero-day vulnerability to deploy a WebShell, execute a malware loader, and load the GraceWire trojan into critical system processes. This researcher underscores the ongoing challenges in cybersecurity and the critical importance of proactive measures, including timely software updates, thorough compromise assessments, and adherence to incident response protocols, to mitigate risks posed by evolving threats.

Recommendations:

• We strongly recommend you update SysAid to version 23.3.36 or later.

Threat Profile:

References:

The following reports contain further technical details:

https://www.bleepingcomputer.com/news/security/microsoft-sysaid-zero-day-flaw-exploited-in-clop-ransomware-attacks/