This week, threat actors are actively exploiting a zero-day vulnerability (CVE-2023-47246) in the SysAid service management software. The vulnerability is a path traversal flaw and allows attackers to gain unauthorized access to corporate on-premise servers, leading to data theft and the deployment of Cl0p ransomware.
SysAid is a widely used IT Service Management solution, providing businesses tools for managing various IT services. Microsoft has identified the threat actor behind the exploitation as Lace Tempest, also known as TA505. The threat actors leverage the zero-day by uploading a Web Application Resource (WAR) archive containing a webshell into the webroot of the SysAid Tomcat web service. This allows the threat actors to execute additional PowerShell scripts, load the GraceWire malware, and compromise legitimate processes (msiexec.exe, svchost.exe, and spoolsv.exe).
After exfiltrating data, the threat actor attempts to erase their tracks by using a PowerShell script to delete activity logs. A patch for CVE-2023-47246 is available in the latest software update, version 23.3.36. We strongly recommend that all SysAid users update to this version immediately.
INDICATORS OF COMPROMISE (IoCs)