CVE-2023-47246

CVSS: TBD

Research by Microsoft Threat Intelligence has identified a vulnerability in SysAid IT On-Premise software, documented as CVE-2023-47246. The vulnerability allows a threat actor to leverage path traversal in order to execute their own code within the target system.

It has been identified that the threat actor Lace Tempest has exploited the vulnerability by uploading a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service. The full directory path was:

C:\Program Files\SysAidServer\tomcat\webapps\usersfiles\

The deployed WebShell granted the threat actor unauthorised access and control. Once established, they utilised PowerShell scripts to run a malware loader (with filename user.exe). This was in turn used to deploy the GraceWire Trojan, which was injected into one of the following running processes:

• spoolsv.exe
• msiexec.exe
• svchost.exe

Once GraceWire was deployed, a second PowerShell script was executed to erase evidence of the threat actor’s presence from the disk and associated web logs.

Lace Tempest has previously been observed utilising the MOVEit vulnerability in June 2023, and deploying Cl0p ransomware.

Given the severity of the vulnerability, it is recommended that steps are taken immediately to deploy patches issued by SysAid.  Vulnerable users of the software should also review systems for evidence of prior exploitation.  Further details can be found on the SysAid blog here.

For further information on CL0P’s recent activities and other ransomware blogs check out my latest Ransomware statistics article here.

CVE-2023-4966

CVSS: 9.4

Last week, Citrix released a patch for CVE-2023-4966. This vulnerability allows threat actors to hijack existing, authenticated sessions and bypass multi-factor authentication. As a result, they could fully control NetScaler environments, and therefore manage and control application delivery.

The vulnerability impacts the following versions of Citrix NetScaler:

• NetScaler ADC and NetScaler Gateway 14.1-8.50  and later releases
• NetScaler ADC and NetScaler Gateway  13.1-49.15  and later releases of 13.1
• NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0
• NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS
• NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS
• NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP

Cybersecurity firm Mandiant has been tracking exploitation of the vulnerability and has seen evidence of use since August 2023 by an as-yet-unknown threat actor. This threat actor appears most concerned with cyberespionage, with targets including professional services, technology and government organisations. Over time, it is anticipated that further threat actors will begin exploiting this vulnerability across wider sectors for financial gain.

Despite the patch being issued, it is anticipated that exploitation of this vulnerability will increase. This is down to a slow uptake of patching undertaken by users of Citrix NetScaler. For example, we previously reported on CVE-2023-3519 which was patched in July 2023 after being exploited as early as June 2023. Research by the Shadowserver Foundation indicates at least 1,300 NetScaler instances are still vulnerable to this exploit.

Citrix recommends updating and patching all instances of NetScaler to the most recently available versions in order to limit the impact of the vulnerability. Further details can be found here.