SysAid vulnerability exploited.
By Tim Nodar, CyberWire senior staff writer
Nov 13, 2023

A Cl0p ransomware operator is exploiting a recently patched path traversal vulnerability in SysAid servers.

SysAid vulnerability exploited.

Microsoft’s threat intelligence team has warned that Lace Tempest, the Cl0p ransomware actor that was behind the widespread attacks against the MOVEit file transfer software earlier this year, is now exploiting a recently disclosed path traversal vulnerability (CVE-2023-47246) affecting on-premise SysAid servers. SysAid issued a patch for the flaw on November 8th.

Malicious WAR archive used in exploitation.

SysAid says the threat actor exploited the vulnerability as a zero-day by “[uploading] a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service.” Rapid7 notes, “Post-exploitation behavior included deployment of MeshAgent remote administration tooling and GraceWire malware.”

Highly skilled criminals.

Lace Tempest showed a high degree of skill in their exploitation of the SysAid vulnerability. Erich Kron, Security Awareness Advocate at KnowBe4, commented: 

“The skill level of many attackers appears to be on the rise as demonstrated by this latest zero-day exploit. While it is limited in scope, it could be a significant concern for organizations that use SysAid. Using PowerShell scripts is nothing unique, however it allows bad actors to execute things that are more easily camouflaged by traditional system activities, allowing for a much stealthier attack.

“With the patch being available at this time, organizations that use SysAid should immediately apply them, and perform some forensics work to ensure that the system was not compromised prior to patching.”

Steps to take against path traversal exploitation.

Paul Laudanski, Director of Security Research at Onapsis, noted:

“Organizations must ensure they are running web application firewalls that can be trained/configured to look out for path traversal, in addition to monitoring for activity or evidence of webshell execution and engagement. Internal logs should be capturing command line execution to create alerts on suspicious forks or code execution. Some of the alerting logic can be time-bound, i.e. when certain processes like Tomcat are executing or forking additional tasks in rapid succession that would generally be anomalous behavior – this should be an alert and have the SOC investigate. Organizations should understand their environment and fine-tune alerts regularly. 

“If SysAid’s Tomcat web service is launching subprocesses like Powershell scripts, ensure those are being captured and inspected for suspicious behavior, filtering out the activities that are not genuine or approved and investigate those that are not. Since these types of attacks are fairly common, it is important to have a good framework to monitor and detect these tactics, techniques, and procedures (TTPs). As a first line of defense, focus on general TTPs to understand and instrument defenses around them. 

“When a webshell is uploaded, it will generally execute in the context of the web server. If the web server is executing commands or binaries that are not normally done in your environment, send the trigger alert. This general approach for both web application firewall implementation and tuning, as well as internal application logs monitoring, detection, and fine-tuning, is an iterative process that targets the top of the pyramid of pain, TTPs, or patterns of ill intent.”