MOVEit hackers leverage new zero-day bug to breach organizations (CVE-2023-47246)
A critical zero-day vulnerability (CVE-2023-47246) in the SysAid IT support and management software solution is being exploited by Lace Tempest, a ransomware affiliate known for deploying Cl0p ransomware.
Lace Tempest has previously exploited zero-day vulnerability (CVE-2023-34362) in Progress Software’s MOVEit Transfer installations to steal data from many enterprises and public sector organizations.
The group has also similarly leveraged zero days in the Accellion file transfer appliance and Fortra’s GoAnywhere file transfer solution.
CVE-2023-47246 exploited
The (limited) attacks were first spotted by the Microsoft Threat Intelligence team, and they notified Israeli software maker SysAid about them on November 2, 2023.
“We immediately initiated our incident response protocol and began proactively communicating with our on-premise customers to ensure they could implement a mitigation solution we had identified,” SysAid’s CTO Sasha Shapirov noted.
“We engaged Profero, a cyber security incident response company, to assist us in our investigation. The investigation determined that there was a zero-day vulnerability in the SysAid on-premises software.”
The exploited zero day (CVE-2023-47246) is a path traversal vulnerability that allows threat actors to gain unauthorized access to affected systems and execute arbitrary code.
According to Shapirov, the attackers exploited the vulnerability to upload a WAR archive containing a webshell and other payloads into the webroot firectory of the SysAid Tomcat web service.
“The webshell provided the attacker with unauthorized access and control over the affected system. Subsequently, the attacker utilized a PowerShell script, deployed through the webshell, to execute a malware loader named user.exe on the compromised host.”
The latter injected the GraceWire trojan into various processes (spoolsv.exe, msiexec.exe and svchost.exe)
“This is typically followed by human-operated activity, including lateral movement, data theft, and ransomware deployment,” the Microsoft Threat Intelligence team noted.
Finally, the attackers used a second PowerShell script to wipe evidence of their activity from the disk and the SysAid on-prem server web logs.
Patch and investigate
The company advised customers using a SysAid on-prem server to update their systems to the version (v23.3.36) that patches CVE-2023-47246, and to check for evidence of compromise they provided.
“Look for unauthorized access attempts or suspicious file uploads within the webroot directory of the SysAid Tomcat web service. Look for unusual files within the SysAid webroot directory, especially any WAR files, ZIP files, or JSP files that contain file timestamps that differ from the rest of the SysAid installation files. If SysAid is behind a proxy or a WAF, check the access logs from these services for suspicious POST requests to the server for signs of exploitation,” Shapirov advised.
Enterprise defenders should also be on the lookout for unauthorized or suspicious webshells, abnormal PowerShell script execution activities, and check for unusual network connections, unexpected process behavior, or abnormal CPU/memory usage in the processes injected with the GraceWire loader.
“Review any credentials or other information that would have been available to someone with full access to your SysAid server and check any relevant activity logs for suspicious behavior,” he added.
UPDATE (November 10, 2023, 09:15 a.m. ET):
Huntress researchers say they’ve created a fully weaponized proof of concept exploit thanks to the indicators of compromised shared by SysAid, but they will not publish it yet.
They’ve also discovered one compromised SysAid instance across their partner base showing those same IoCs and found that it has been compromised on October 30.