SysAid, a prominent provider of IT service management solutions, has recently patched four critical vulnerabilities in its on-premise software, following active exploitation by the Clop ransomware group. These vulnerabilities, particularly CVE-2023-47246, have been leveraged by cybercriminals to gain unauthorized access to corporate servers, leading to data theft and ransomware deployment.
Overview of the Vulnerabilities
The most severe of these vulnerabilities, CVE-2023-47246, is a path traversal flaw that allows attackers to execute arbitrary code by writing files to the Tomcat webroot directory. This vulnerability has been assigned a CVSS score of 9.8, indicating its critical nature. The flaw exists in SysAid On-Premise software versions prior to 23.3.36. Exploitation of this vulnerability enables attackers to upload malicious files, such as Web Application Resource (WAR) archives containing web shells, into the webroot of the SysAid Tomcat web service. Once deployed, these web shells provide attackers with remote code execution capabilities, facilitating further malicious activities.
Exploitation by Clop Ransomware Group
The Clop ransomware group, also known as Lace Tempest, has been identified as the primary threat actor exploiting these vulnerabilities. This group has a history of exploiting zero-day vulnerabilities to infiltrate organizations’ systems, exfiltrate sensitive data, and deploy ransomware. In the case of SysAid, the attackers utilized the path traversal vulnerability to upload a WAR archive containing a web shell into the Tomcat webroot directory. This web shell was then used to execute PowerShell scripts that deployed the GraceWire malware, a trojan designed to steal sensitive information and facilitate further malicious activities. Following the deployment of GraceWire, the attackers attempted to erase their tracks by using additional PowerShell scripts to delete activity logs and other evidence of their intrusion.
Technical Details of the Exploitation
The exploitation process involves sending a specially crafted POST request to the SysAid server, with the `accountID` parameter manipulated to perform path traversal. This manipulation allows the attacker to specify the location within the Tomcat webroot directory where the malicious WAR file should be written. Once the WAR file is uploaded, the attacker can access the web shell by navigating to its URL, thereby gaining remote code execution capabilities on the server. This method of exploitation is particularly concerning due to its low complexity and the lack of required privileges or user interaction, making it an attractive vector for attackers.
Mitigation Measures and Recommendations
In response to these vulnerabilities, SysAid has released a patch in version 23.3.36 of its on-premise software. All users are strongly urged to update to this version immediately to mitigate the risk of exploitation. Additionally, organizations should conduct thorough assessments of their SysAid servers to identify any signs of compromise. This includes reviewing activity logs for suspicious behavior, checking for unauthorized file uploads within the Tomcat webroot directory, and ensuring that the server is not exposed to the public internet. Implementing web application firewalls configured to detect and prevent path traversal attacks can also provide an additional layer of security.
Indicators of Compromise (IoCs)
Organizations should be vigilant for the following indicators of compromise associated with the exploitation of these vulnerabilities:
– File Paths:
– `C:\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe`
– `C:\Program Files\SysAidServer\tomcat\webapps\usersfiles.war`
– `C:\Program Files\SysAidServer\tomcat\webapps\leave`
– IP Addresses:
– `81.19.138.52`
– `45.182.189.100`
– `179.60.150.34`
– `45.155.37.105`
– Hashes:
– `b5acf14cdac40be590318dee95425d0746e85b1b7b1cbd14da66f21f2522bf4d`
Monitoring for these IoCs can aid in the early detection of potential compromises and facilitate prompt response actions.
Conclusion
The active exploitation of critical vulnerabilities in SysAid’s on-premise software by the Clop ransomware group underscores the importance of timely software updates and robust security practices. Organizations utilizing SysAid’s on-premise solutions must prioritize the application of the latest patches and conduct comprehensive security assessments to safeguard against potential threats. Staying informed about emerging vulnerabilities and threat actor tactics is crucial in maintaining a secure IT environment.
