Exclusive first look at Coalition’s new cyber claims dataGet the 2024 Cyber Claims Report
Cyber Incident? Get Help

SysAid Zero-Day Exploited to Deploy Ransomware

SysAid Zero-Day Exploited to Deploy Ransomware

Coalition Security Labs, our security research and innovation center, has been monitoring the events surrounding the latest zero-day critical vulnerability in SysAid. SysAid publicly disclosed the vulnerability on November 8, 2023, which is being widely compared to the high-profile compromise of MOVEit over the summer because threat actors have been observed deploying ransomware commonly associated with CL0p.

What happened?

SysAid is a popular IT service automation software that organizations use to manage services such as help desk requests, asset tracking, etc. 

Microsoft Threat Intelligence discovered the vulnerability (CVE-2023-47246) and identified the threat actor as Lace Tempest, a threat actor known to deploy Cl0p ransomware. Microsoft notified SysAid about the vulnerability, and SysAid immediately issued a patch available in version 23.3.36.

Looking at our honeypot data, we saw light reconnaissance activity as far back as March 2023 and a second group of honeypot contacts near the end of June 2023. Upon closer inspection, the March traffic looks to have originated from a German company that performs attack surface monitoring. The company appears legitimate, but it raises questions about why they were searching for SysAid at that time. 

The contact with our honeypots near the end of June has a more interesting origin: a mobile phone network in China. The origin of the IP addresses, combined with a unique user agent, suggests that the party performing reconnaissance was using a proxy network as a platform for scanning from China.

The unique user agent, however, allowed us to take a more in-depth look at the other items that the party was looking to exploit: mostly Java and PHP applications. The unique user agent pinged our honeypot for 28 minutes, logging 2,446 requests on 929 unique paths. From a frequency perspective, the search for SysAid was the 42nd most popular on the targeted honeypot. 

Coalition Security Labs has not seen the unique user agent since June 2023. Given the wide array of technologies that were being targeted, SysAid was unlikely the primary target. When we observed targeting against MOVEit, it appeared to be much more precise and calculated than this scanning activity.  

How does the vulnerability work?

According to SysAid, CVE-2023-47246 is a path traversal vulnerability that allows threat actors to access files on a web server, leading to unauthorized code execution. They also shared technical details about the vulnerability uncovered during an investigation by incident response firm Profero.

Threat actors uploaded a Web Application Resource (WAR) containing a WebShell, an interface that allows a web server to be remotely accessed, to the SysAid Tomcat web service. The WebShell gave threat actors control over affected systems, allowing them to deploy malware, and according to SysAid, the investigation observed threat actors deploying the GraceWire malware loader commonly associated with CL0p. After deploying malware, threat actors used a PowerShell script to remove evidence from compromised systems. 

SysAid has released guidance for patching this vulnerability. The most important part of this guidance is as follows:

  • Update systems running SysAid to version 23.3.36, which includes the patches for the identified vulnerability.

  • Conduct a thorough compromise assessment of SysAid servers to look for any of the listed indicators of compromise (IOCs).

  • Review any credentials or other information that would have been available to someone with full access to SysAid servers and check any relevant activity logs for suspicious behavior.

How Coalition is responding 

Whenever a new zero-day vulnerability is published, our first step is to use our existing honeypot and scan data to identify policyholders utilizing the vulnerable technology. 

We notified affected policyholders on November 9, 2023. Because threat actors are deleting activity logs, Coalition Incident Response (CIR), an affiliate of Coalition, Inc., will also proactively contact policyholders running the impacted version of SysAid.

Coalition Security Labs will use the information around this vulnerability and our honeypot data to improve our ability to identify potential threats before they emerge. 

Organizations should follow SysAid’s guidance for patching to the current version and reviewing their systems for IOCs. If any Coalition policyholders are running an unpatched version of SysAid, CIR will contact them to rule out a potential infection. 

Impacted parties can learn about specific vulnerabilities impacting their digital infrastructure through Coalition Control™. Included in Control is Vendor and Third-Party Monitoring, a feature that allows organizations to keep a careful eye on the companies and suppliers they partner with, helping to mitigate the risk of supply chain disruptions. These insights can help security decision-makers understand the ramifications of third-party risk for their organizations and respond accordingly.

Get in Control today.

Insurance products referenced herein are offered by Coalition Insurance Solutions, Inc. (“CIS”), a licensed insurance producer with its principal place of business in San Francisco, CA (Cal. license #0L76155), acting on behalf of a number of unaffiliated insurance companies. A list of our admitted carriers is available here. Complete license information for CIS is available here. Insurance products offered through CIS may not be available in all states. All insurance products are governed by the terms and conditions set forth in the applicable insurance policy. Please see a copy of your policy for the full terms and conditions. Any information on this communication does not in any way alter, supplement, or amend the terms and conditions of the applicable insurance policy and is intended only as a brief summary of such insurance products. Policy obligations are the sole responsibility of the issuing insurance carrier. The descriptions provided herein are solely for informational purposes and are not to be construed as advice of any kind or the rendering of consulting, financial, legal, or other professional services from Coalition. Any action you take upon the information contained herein is strictly at your own risk. Coalition will not be liable for any losses and damages in connection with your use or reliance upon the information.