Zero-Day Alert: Lace Tempest CVE-2023-47246 Vulnerability in SysAid Software Exploited by Ransomware Group

CVE-2023-47246 Lace Tempest Vulnerability SysAid Software Security Ransomware Group TA505 Zero-Day Exploit Alert Cybersecurity Threats 2023 Microsoft Security Insights Cl0p Ransomware SysAid Patch Update Cyber Vulnerability Analysis IT Management Software Security Path Traversal Exploit Gracewire Malware Phoenix Security Solutions Application Security Posture Management (ASPM) CISA Known Exploited Vulnerabilities Cybersecurity Incident Response Shodan Server Analysis Exploit in the Wild OWASP Application Security application secrutiy ransomware vulnerability vulnerability management

Critical Alert: Discover the implications of the Lace Tempest CVE-2023-47246 vulnerability in SysAid software, exploited by the notorious ransomware group TA505 also known as cl0p. Learn path traversal flaw, Microsoft's insights, and urgent patching advice. Stay informed on the latest in cybersecurity with Phoenix Security's insights and solutions for mitigating this high-impact ransomware threat.

SysAid, which is a vendor for IT management software, has published a critical warning regarding an unpatched bug in its on-site service software version in November 6th, 2023. Recently uncovered as SANS vulnerability id CVE-2023-47246, this is vulnerability has already become exploitable in the wild. To start with, Microsoft identified and disclosed this vulnerability, attributing it to ransomware gang TA505 commonly known as Lace Tempest or cl0p.

Lace Tempest, which is known for distributing the Cl0p ransomware, has in the past leveraged zero-day flaws in MOVEit Transfer and PaperCut servers.

Data Visualization of and exploitation in various datasets and in the wild

To discover this and other vulnerabilities exploited in the wild and the data behind it explore

CVE-2023-47246 in details

 This is an example of a path traversal vulnerability leading to code execution in SysAid’s on-premises software, identified as CVE-2023-47246. For instance, it offers attackers an opportunity to create a WAR file webshell and other forms of payload that are executed in the SysAid Apache Tomcat webserver. A notable indication of the breach is the presence of a webshell in the directory C: \Program Files\SysAidServer\tomcat\webapps\usersfiles.

“After exploiting the vulnerability, Lace Tempest issued commands via the SysAid software to deliver a malware loader for the Gracewire malware,” Microsoft.

According to SysAid, the threat actor has been observed uploading a WAR archive containing a web shell and other payloads into the webroot of the SysAid Tomcat web service.

Decoding CVE-2023-47246 and its impact in the wild of the zero-day vulnerability

  • CVSS (rescored) 5.5
  • CTI – 0.4 (low use)
  • Impact – High (ransomware)
  • EPSS – 0.000460000 (very low)
  • Exploit Available / Used for ransomware

Shdan distribution 

The distribution in Shodan is relatively small 869 servers with a variation between 230 instances that are accessible on the public internet and 900 with those two queries SysAId and SysAid Help desk

Currently, there are no indicators of exploitation in mass for this vulnerability so the risk level remains moderate,; as this vulnerability is used for ransomware attacks is suggested to patch

The popularity of the vulnerability has decreased since the publication on the 11 and the initial advisory.

Vulnerability Management
Application Security
Cybersecurity Solutions
IT Security Threats
Network Security
Data Protection
Cyber Attack Prevention
Security Risk Assessment
Malware Defense
Phishing Protection
Encryption Technologies
Cloud Security
Compliance and Cybersecurity
Endpoint Security
Cybersecurity Trends
Cybersecurity Training
Cybersecurity Best Practices
Cyber Threat Intelligence
Cybersecurity Policy
Ransomware Protection
Cybersecurity Framework
Information Security Management
Cybersecurity Audit
Security Vulnerability Analysis
Phoenix Security
Vulnerability Weekly
Vulnerability News

Feedly CVE analysis

The vulnerability is critical as it opens a web shell and back door for further exploitation.

The web shell, besides providing the threat actor with backdoor access to the compromised host, is used to deliver a PowerShell script that’s designed to execute a loader that, in turn, loads Gracewire.

Also deployed by the attackers is a second PowerShell script that’s used to erase evidence of the exploitation after the malicious payloads have been deployed. Furthermore, the attack chains are characterised by the use of the MeshCentral Agent as well as PowerShell to download and run Cobalt Strike, a legitimate post-exploitation framework.

“As of June 2023, the Silent Ransom Group (SRG), also called Luna Moth, conducted callback phishing data theft and extortion attacks by sending victims a phone number in a phishing attempt, usually relating to pending charges on the victims’ account,” FBI said.

Fixes for CVE-2023-47246: 

SysAid’s response, a patch in version 23.3.36, is a critical first step. However, the responsibility doesn’t end there. Organizations must ensure they are updated to this latest version to mitigate the risk. Huntress, for its part, has updated its security platform to detect activities related to this exploit, offering an extra layer of defense.

Indicators of Compromise  CVE-2023-47246

PathSHA256 Hash
C:\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exeb5acf14cdac40be590318dee95425d0746e85b1b7b1cbd14da66f21f2522bf4d 
C:\Program Files\SysAidServer\tomcat\webapps\usersfiles.war5ac0a6c76160772acd8a0de0705362fcdc325138eeadfe3d8d40e4bf2212a146

How Phoenix Security Can Help

Phoenix Security is a comprehensive security solutions like ASPM and vulnerability management that can cover vulnerabilities from code to the cloud are essential to accelerate vulnerability management and scaling. Phoenix Security is here to automatically ingest vulnerabilities from code to cloud and prioritize vulnerabilities at scale. Phoenix also communicates the timeframe for resolution for the government organizations that must comply with CISA and related regulations.

Phoenix Security serves as a beacon for security professionals aiming to pinpoint the CISA kev and ransomware-related exploits within their systems. It meticulously scans your product, identifying instances where the CISA kev vulnerability may be affected. By leveraging Phoenix Security, you not only unravel the potential threats but also take a significant stride in vulnerability management, ensuring your application security remains up to date and focuses on the key vulnerabilities.

Get a Free Assessment today

Previous Issues of Vulnerability Weekly

Other Useful resources

Data Visualization of vulnerabilities in the wild

Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

From our Blog

Critical Alert: Discover the implications of the Lace Tempest CVE-2023-47246 vulnerability in SysAid software, exploited by the notorious ransomware group TA505 also known as cl0p. Learn path traversal flaw, Microsoft’s insights, and urgent patching advice. Stay informed on the latest in cybersecurity with Phoenix Security’s insights and solutions for mitigating this high-impact ransomware threat. Focus on your vulnerability management program and application security program
Francesco Cipollone

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.

x Logo: ShieldPRO
This Site Is Protected By