CVE-2023-47246
CVSS: TBD
Research by Microsoft Threat Intelligence has identified a vulnerability in SysAid IT On-Premise software, documented as CVE-2023-47246. The vulnerability allows a threat actor to leverage path traversal in order to execute their own code within the target system.
It has been identified that the threat actor Lace Tempest has exploited the vulnerability by uploading a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service. The full directory path was:
C:\Program Files\SysAidServer\tomcat\webapps\usersfiles\
The deployed WebShell granted the threat actor unauthorised access and control. Once established, they utilised PowerShell scripts to run a malware loader (with filename user.exe). This was in turn used to deploy the GraceWire Trojan, which was injected into one of the following running processes:
- spoolsv.exe
- msiexec.exe
- svchost.exe
Once GraceWire was deployed, a second PowerShell script was executed to erase evidence of the threat actor’s presence from the disk and associated web logs.
Lace Tempest has previously been observed utilising the MOVEit vulnerability in June 2023, and deploying Cl0p ransomware.
Given the severity of the vulnerability, it is recommended that steps are taken immediately to deploy patches issued by SysAid. Vulnerable users of the software should also review systems for evidence of prior exploitation. Further details can be found on the SysAid blog here.