Microsoft: SysAid Zero-day Flaw Exploited in Clop Ransomware Attacks

Cyber Security Threat Summary:
Microsoft says Cl0p ransomware operators have begun exploiting a zero-day vulnerability in the service management software SysAid to access corporate servers for data theft and to deploy ransomware. SysAid is an IT Service Management (ITSM) solutions that helps organizations manage IT services within their environment.

Cl0p operators have focused their efforts on exploiting zero-day vulnerabilities in widely used software including MOVEit Transfer, GoAnywhere MFT, and Accellion FTA. This latest vulnerability tracked as CVE-2023-47246 was discovered on November 2nd and has been leveraged in the wild by various actors.

SysAid published a report on Wednesday disclosing that CVE-2023-47246 is a path traversal vulnerability that leads to unauthorized code execution. The company also shares technical details of the attack.

Using the vulnerability, threat actors can upload a webshell into the webroot of SysAid Tomcat. Using the webshell, the actors will execute additional PowerShell scripts and load the GraceWire malware, which is injected into the legitimate processes (spoolsv[.exe]. msiexec[.]exe, and svchost[,]exe). Another malware loader (user[.]exe) checks the systems processes to ensure Sophos security products are not present. Once data is exfiltrated from the system, the threat actors will use further PowerShell scripts to erase logs that might track their activity. The group will also deploy Cobalt Strike listeners on compromised hosts.

Security Officer Comments:
Cl0p went relatively quiet after exploiting the MOVEit zero-day. We have been preparing for their next round of attacks against the next unknown zero-day. In the case of the MOVEit zero-day, Cl0p moved quickly to exploit as many victims as possible. We expect the same to be true for users of SysAid. It’s been confirmed that the MOVEit breach has affected over 1,000 organizations and 60 million individuals all around the world. Financial damages are estimated to be over $10 billion US dollars.

Suggested Correction(s):
Once the vulnerability was disclosed, SysAid quickly developed and released a patch which is available via software update. All SysAid users are strongly recommended to switch to version 23.3.36 or later.

System administrators should also check servers for signs of compromise by following the steps below:

Check the SysAid Tomcat webroot for unusual files, especially WAR, ZIP, or JSP files with anomalous timestamps.

  • Look for unauthorized WebShell files in the SysAid Tomcat service and inspect JSP files for malicious content.
  • Review logs for unexpected child processes from Wrapper.exe, which may indicate WebShell use.
  • Check PowerShell logs for script executions that align with the attack patterns described.
  • Monitor key processes like spoolsv[.]exe, msiexec[.]exe, svchost[.]exe for signs of unauthorized code injection.
  • Apply provided IOCs to identify any signs of the vulnerability being exploited.
  • Search for evidence of specific attacker commands that indicate system compromise.
  • Run security scans for known malicious indicators related to the vulnerability.
  • Look for connections to the listed C2 IP addresses.
  • Check for signs of attacker-led cleanup to conceal their presence.
SysAid's report provides indicators of compromise that could help detect or prevent the intrusion, which consist in filenames and hashes, IP addresses, file paths used in the attack, and commands the threat actor used to download malware or to delete evidence of initial access.