SysAid on-premises software faces a zero-day vulnerability tracked as CVE-2023-47246. SysAid recommends that all customers immediately upgrade to version 23.3.36, which has a security patch for the path traversal vulnerability.
"We urge all customers with SysAid on-prem server installations to ensure that your SysAid systems are updated to version 23.3.36, which remediates the identified vulnerability, and conduct a comprehensive compromise assessment of your network to look for any indicators further discussed below. Should you identify any indicators, take immediate action and follow your incident response protocols." SysAid CTO Sasha Shapirov in SysAid's vulnerability notification
What is CVE-2023-47246?
First detected by the Microsoft Threat Intelligence team in early November 2023, the zero-day vulnerability tracked as CVE-2023-47246 affects SysAid on-premises IT service management systems. This vulnerability has been exploited by a known threat actor to gain unauthorized access, move through the system, and achieve code execution. The attacker uploaded a malicious payload that enabled them to inject trojan malware on the system.
Though this vulnerability has not yet been added to the National Vulnerability Database at the time of publication, it has a CVE number of CVE-2023-47246 reserved with the MITRE Corporation and has been stated as a path traversal vulnerability that can lead to arbitrary code execution. It does not yet have a CVSS rating.
With a path traversal vulnerability, attackers can navigate through the directory system and, in this case, manipulate files. Path traversal is identified as CWE-35 and is often related to access control issues. Broken access control and injection attacks are two of the OWASP Top 10 critical security risks.
Through the SysAid vulnerability, the threat actor known as Lace Tempest uploaded a webshell into the Apache Tomcat service running on a SysAid server. Tomcat is an open-source web server, and the webroot of the SysAid Tomcat web service was the initial target for the attack. The hacker's webshell provided unauthorized access and control over the system, which the attacker leveraged to deploy malware. Using the [.rt-script]user.exe[.rt-script] malware loader, the attacker ran a Powershell script to inject the GraceWire trojan on three executables: [.rt-script]spoolsv.exe[.rt-script], [.rt-script]msiexec.exe[.rt-script], and [.rt-script]svchost.exe[.rt-script]. Each of these executables is used to run Windows services, so malware takeover can lead to a non-functioning device. The attacker then ran additional scripts to erase evidence of the attack and to run a Cobalt Strike listener for monitoring compromised hosts.
These actions are typically followed by data exfiltration and ransomware deployment. The threat actor behind the attack on SysAid servers also exploited a zero-day vulnerability in the MOVEit Transfer product earlier this year and is known to deploy cl0p ransomware attacks. GraceWire malware has also been linked to ransomware attacks and subsequent data breaches.
According to SysAid, all customers with on-premises server installations are at risk. Upgrade your system to version 23.3.36 containing the security patch for this vulnerability.
How UpGuard Can Help
CVE-2023-47246 has been added to UpGuard's vulnerability library as an informational vulnerability, which means that UpGuard can detect if you are using the affected product. Search for CVE-2023-47246 in your BreachSight Vulnerabilities module and in the Vendor Risk Portfolio Risk Profile to identify what assets may be impacted. Cross-check your version with the impacted versions to ensure that your system is protected against possible exploitation.
UpGuard maintains a vulnerability library with thousands of known cybersecurity vulnerabilities, and we will continue monitoring this situation for more information on the SysAid vulnerability.
Mitigation Strategies for CVE-2023-47246
In their November 2023 vulnerability notice, SysAid provides guidance on what actions customers can take to protect against this vulnerability. SysAid partnered with Profero for the vulnerability investigation.
Apply SysAid's Security Patch
SysAid recommends that all customers using a SysAid on-prem server update to version 23.3.36 immediately, as that version contains the security patch for the vulnerability.
Evaluate Potential Compromise
SysAid recommends assessing your SysAid on-prem software for any of the known indicators of compromise (IOCs) and any suspicious behavior in server logs. Assess behavior on your SysAid server for the following behaviors:
- Unauthorized access or suspicious uploads in the SysAid Tomcat service.
- Unexpected files that do not match the installation date in the webroot directory.
- Unauthorized or suspect WebShell deployment in the SysAid Tomcat service.
- Abnormal PowerShell script execution.
- Unauthorized behavior on the three targeted processes ([.rt-script]spoolsv.exe[.rt-script], [.rt-script]msiexec.exe[.rt-script], [.rt-script]svchost.exe[.rt-script]).
- Signs of the attacker's cleanup actions on their initial access.
- Credentials and other sensitive information accessible through the affected system.
Additionally, review the identifiers for the known threat actor, including the published hashes, IP addresses, file paths, and commands. The SysAid vulnerability notification lists the malicious identifiers and specific signs of exploitation.
Microsoft Defender antivirus detection can also identify three threat components related to the SysAid zero-day vulnerability:
If you identify potential compromise, follow your internal security policy for incident response. Immediate shutdown and network disconnection may provide time to quarantine and disinfect the impacted system.
Strengthen Your Cybersecurity Posture
By taking proactive steps to harden your security stance, you can help prevent cyber attacks on your external attack surface. Consider the following additions to your cybersecurity measures: