SysAid Vulnerability Exploited in Lace Tempest's Latest Clop Ransomware Campaigns

Attempts to exploit a zero-day vulnerability (CVE-2023-47246) in SysAid On-Prem software have surfaced, abusing a path traversal flaw allowing threat actors to upload malicious payloads to SysAid Tomcat web service, specifically targeting versions earlier than the patched 23.3.36. Microsoft's Threat Intelligence team linked these exploits to Lace Tempest (aka FIN11 and TA505), a threat group notorious for deploying Clop ransomware. According to Microsoft, "Lace Tempest issued commands via the SysAid software to deliver a malware loader for the Gracewire malware. This is typically followed by human-operated activity, including lateral movement, data theft, and ransomware deployment."

SysAid's Chief Technology Officer, Sasha Shapirov, provides additional post-exploitation insights. The attacks commence with the upload of a "WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service," residing at path C:\Program Files\SysAidServer\tomcat\webapps\usersfiles. Unauthorized actors, armed with control through the webshell, deploy PowerShell scripts, executing the "Gracewire" malware. Additional capabilities fulfilled by the PowerShell scripts include listing files in the C:\Program Files\SysAidServer\tomcat\webapps\usersfiles directory, checking for the presence of the security monitoring solution “Sophos” before executing the malware, and meticulously removing artifacts, including dropped payloads and log file entries. The malware was observed injecting into processes like spoolsv.exe, msiexec.exe, and svchost.exe. Moreover, a PowerShell command downloads and executes a Cobalt Strike beacon.

SysAid's report urges customers to perform a comprehensive exposure check of their environment in the event they're unable to patch immediately. Further recommendations and references are offered in SysAid's report to guide organizations in their threat assessment.