On November 8, 2023, SysAid, a widely used IT Service Management system, made a public announcement regarding a critical zero-day vulnerability, officially designated as CVE-2023-47246. This vulnerability, which was discovered on November 2nd, has been actively exploited by a threat group known as DEV-0950, or Lace Tempest, as reported by Microsoft’s Threat Intelligence team. Given the severity of this security flaw, organizations utilizing SysAid On-Prem Software must take immediate action to address it.

The zero-day vulnerability in SysAid On-Prem Software involves a path traversal flaw that allows for unauthorized code execution. Profero, a renowned cybersecurity incident response company engaged by SysAid, conducted a thorough investigation and uncovered that the attacker, Lace Tempest, utilized this vulnerability to upload a WAR archive containing a WebShell and additional payloads into the webroot of the SysAid Tomcat web service.

Attack Chain:

Once unauthorized access was gained, the attacker deployed a PowerShell script through the WebShell to execute a malware loader named user.exe on the compromised host. This loader, identified as the GraceWire trojan, was injected into critical processes such as spoolsv.exe, msiexec.exe, and svchost.exe. Subsequently, a second PowerShell script was utilized to remove any evidence related to the attacker’s activities from the disk and the web logs of the SysAid on-prem server.

A sequence of attacks illustrating how threat actors exploit the vulnerability CVE-2023-47246 to gain unauthorized access to the SysAid system. (Reference)

PowerShell Analysis:

During the attack, the attacker utilized two separate PowerShell scripts. The initial script was responsible for initiating the user.exe loader. This involved listing files in the designated directory, checking for specific running processes, and initiating the malware loader. The second PowerShell script was specifically designed to remove any traces of the attack from the victim servers. It targeted specific log files and directories for erasure.

Mitigation and Remediation:

In response to this critical security issue, SysAid has taken immediate action by releasing version 23.3.36. This version includes patches that address the identified vulnerability. Organizations that utilize SysAid On-Prem Software are strongly advised to update their systems to this version without delay.

Recommendations for Users:

Update SysAid Systems: It is crucial to ensure that your SysAid On-Prem installations are updated to version 23.3.36. This will apply the necessary patches to address the identified vulnerability.

Conduct a Thorough Assessment: Perform a comprehensive evaluation of your SysAid server to identify any potential signs of exploitation.

Review Credentials and Logs: Carefully examine credentials and other accessible information on your SysAid server. Additionally, thoroughly review relevant activity logs for any suspicious activity.

Indicators of Compromise (IOCs):

SysAid has provided a list of IOCs to assist organizations in detecting signs of exploitation. This includes hashes, IP addresses, file paths, and specific commands used by the attackers.

Conclusion:

The zero-day vulnerability CVE-2023-47246 found in SysAid On-Prem Software poses a significant threat to organizations utilizing this service. It is crucial to promptly implement the provided patches and conduct a thorough security assessment to mitigate risks and protect against potential exploits. Remain vigilant, adhere to incident response protocols, and utilize the provided IOCs to strengthen your defenses against this critical security threat.

Reference:

SysAid On-Prem Software CVE-2023-47246 Vulnerability