On November 2, 2023, SysAid was of a zero-day path traversal vulnerability allowing for remote code execution, which affects their on-premises ITSM solution. In the investigation conducted by SysAid, it was determined that the vulnerability was being actively exploited by a ransomware affiliate group known as Lace Tempest (DEV-0950), a group known for deploying the CL0P ransomware payload. SysAid proceeded to issue a on November 8, 2023 regarding the vulnerability, which was designated as CVE-2023-47246.?
In the investigation of this campaign by SysAid, threat actors leveraged this vulnerability to deploy a WAR archive containing a webshell to a vulnerable server. Subsequently, the threat actors were observed injecting the GraceWire trojan into a system process. They were also observed tampering with application logs to cover their tracks.?
Â鶹¹û¶³ has detections in place to detect common post-compromise activities involved in ransomware campaigns, such as the unusual PowerShell activity described here, as well as detections for the specific indicators of compromise that have been reported. Â鶹¹û¶³ will alert observed malicious activity associated with this campaign as part of the Managed Detection and Response service.?
Because this vulnerability is being actively exploited by a ransomware group, Â鶹¹û¶³ strongly recommends updating to a fixed version of SysAid as soon as possible.?
Recommendations for CVE-2023-47246
Recommendation: Upgrade to a fixed version of SysAid?
For any customers running the on-premises version of SysAid, the company recommends upgrading to a fixed version as soon as possible, as outlined in the table below.?
?
| Product? | Affected Version? | Fixed Version? |
| SysAid On-prem? | Versions prior to 23.3.36? | 23.3.36? |
?
Please follow your organization’s patching and testing guidelines to avoid any operational impact.?
References?
- ?
- ??
