CVE-2023-47246 Detection: Lace Tempest Hackers Actively Exploit a Zero-Day Vulnerability in SysAid IT Software
- Forest Blizzard aka Fancy Bear Attack Detection: russian-backed Hackers Apply a Custom GooseEgg Tool to Exploit CVE-2022-38028 in Attacks Against Ukraine, Western Europe, and North America - 24.04.2024
- UAC-0133 (Sandworm) Attack Detection: russia-Linked Hackers Aim to Cripple the Information and Communication Systems of 20 Critical Infrastructure Organizations Across Ukraine - 23.04.2024
- Akira Ransomware Detection: Joint Cybersecurity Advisory (CSA) AA24-109A Highlights Attacks Targeting Businesses and Critical Infrastructure in North America, Europe, and Australia - 19.04.2024
Table of contents:
This November, a set of new zero-days in the popular software products are emerging in the cyber domain, like CVE-2023-22518 affecting all versions of Confluence Data Center and Server. Shortly after its disclosure, another zero-day flaw in SysAid IT software tracked under CVE-2023-47246 comes to the scene. Microsoft revealed traces of vulnerability exploitation, with the Lace Tempest group, earlier known for the delivery of Clop ransomware, behind in-the-wild attacks.
Detect CVE-2023-47246 Exploitation Attempts
With Clop ransomware operators actively exploiting a new zero-day SysAid IT vulnerability, progressive organizations are striving to proactively defend their infrastructure. SOC Prime Platform provides defenders with a new curated Sigma rule to detect CVE-2023-47246 exploitation attempts available via a link below:
War Archive File Created In The SysAid Tomcat Folder [CVE-2023-47246] (via file_event)
The detection algorithm identifies a WAR archive created in the SysAid Tomcat directory, which may be an indicator of CVE-2023-47246 vulnerability exploitation. This Sigma rule addresses the MITRE ATT&CK Initial Access tactic along with the Exploit Public-Facing Application as its main technique (T1190). The detection code can also be instantly converted into dozens of SIEM, EDR, XDR, and Data Lake language formats.
In addition, defenders can click the Explore Detections button below to access more content related to the detection of CVE-2023-47246 exploitation attempts. Instantly reach relevant Sigma rules, take advantage of actionable metadata, and leave no chance for attackers to strike first.
CVE-2023-47246 Analysis
Lace Tempest group known for spreading Clop ransomware is currently observed exploiting a new critical security bug in SysAid IT support and management software. Microsoft recently uncovered CVE-2023-47246, a novel zero-day vulnerability weaponized in a series of attacks attributed to the Lace Tempest hackers. After the issue discovery, Microsoft instantly reported SysAid about the flaw, resulting in its prompt patching.
CVE-2023-47246 is a path traversal flaw that can be weaponized by attackers via writing a file to the Tomcat webroot, potentially leading to code execution in on-prem SysAid instances. Following the initial access and the user.exe malware deployment, threat actors apply a PowerShell script to wipe any traces of their activity from the disk and logs of the on-prem SysAid server. During the investigation, it was also discovered that Lace Tempest applied the GraceWire loader to spread the infection further. Furthermore, the attack chains are marked by leveraging both the MeshCentral Agent remote admin tool and PowerShell to download and run Cobalt Strike on the victim devices.
SysAid has fixed the issue in the software v23.3.36, however, instances prior to this version are exposed to exploitation risks.
Lace Tempest hacking collective aka DEV-0950 has also been linked to the attacks weaponizing critical security flaws, including CVE-2023-34362, a zero-day in MOVEit Transfer, and CVE-2023-27350, an RCE flaw in PaperCut servers. Lace Tempest group overlaps with other hacking collectives tracked as FIN11 and TA505, as Microsoft reports in related tweets.
SysAid recommends taking a set of CVE-2023-47246 mitigation measures, primarily, updating the on-premises instances to the latest 23.3.36 version, performing a thorough compromise assessment of the potentially impacted server based on relevant IOCs, and continuously monitoring logs for any signs of suspicious behavior.
With the growing number of attacks leading to ransomware deployment, organizations are looking for ways to continuously adapt their defenses to emerging threats and minimize the risks. Rely on SOC Primeās Threat Detection Marketplace to keep your finger on the pulse of the ever-changing threat landscape and gain from 900+ curated SOC content for ransomware detection enriched with CTI and tailored for your threat profile.
