SysAid On-Premise Server Vulnerability and Active Exploitation by Ransomware Gang (CVE-2023-47246)

Qualys Security Advisory

Introduction

SysAid, a leading IT Service Management (ITSM) solutions provider, recently issued a critical advisory. The notice reveals a previously undisclosed vulnerability in their on-premise server software, which is currently being exploited in the wild. This escalation comes after Microsoft alerted SysAid to the threat, linking it to the notorious ransomware gang TA505, also known as Lace Tempest or the cl0p ransomware group.

SysAid’s suite is essential for managing IT services within organizations. However, the spotlight is now on a zero-day vulnerability within their service management software. Threat actors exploit this flaw to enter corporate servers, leading to significant data theft and the deployment of Clop ransomware.

Investigation, Findings and Recommendations

The vulnerability, currently identified as CVE-2023-47246, was discovered on November 2 following a breach on SysAid’s on-premise servers. The attackers uploaded a malicious WAR archive into the SysAid Tomcat web service, enabling code execution and subsequent malware deployment, including the GraceWire loader.

SysAid is urging all customers with on-premise server installations to update immediately to version 23.3.36, which addresses this vulnerability. Additionally, they recommend conducting a thorough compromise assessment of networks to detect any further breach indicators.

For a detailed analysis, comprehensive recommendations, and specific indicators of compromise, please refer to SysAid official blog. This resource provides in-depth information and guidance essential for effectively addressing and mitigating the risks associated with this vulnerability.

Qualys Detection

Qualys customers can scan their devices with QID 730970 (available in VULNSIGS-2.5.909-3) to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

Conclusion

The disclosure of this vulnerability and its exploitation by a sophisticated ransomware gang is a reminder of the persistent cyber threats organizations face. SysAid users must follow the recommended updates and security checks to safeguard their systems against such vulnerabilities.

READ MORE