IT support software from SysAid being exploited in the wild

Clear IOCs, guidance and documentation: A commendable response from SysAid.

IT support software from SysAid being exploited in the wild

A vulnerability in software from SysAid, an IT support software company, is being exploited by ransomware threat groups. The SysAid Server vulnerability, allocated CVE-2023-47426, was patched November 8. Users should urgently update and also check for possible exploitation. 

SysAid had been warned by Microsoft Threat Intelligence that it was seeing signs of exploitation of its on-premises software by a ransomware affiliate group it tracks as "Lace Tempest". It then contracted incident report company Profero, which identified the path traversal vulnerability.

Given its capabilities (remote desktop and server management; patching/updates of all active assets etc.) on-premises SysAid Server is mercifully not commonly exposed to the internet; a Shodan search for the default title of SysAid servers returns approximately 230 instances.

(SysAid deserves commendation for a swift patch, supporting clear public analysis from Profero and installation guides that clearly and simply encourage users to not expose instances to the public internet.)

Researchers at Huntress Labs found that the vulnerability exists in the doPost method within the SysAid  com.ilient.server.UserEntry class.

“By injecting a path traversal into the accountID parameter and supplying a zlib compressed WAR file webshell as the POST request body, an attacker can control where this webshell is written on the vulnerable server. The attacker can then request the webshell by browsing to the URL where it now resides to gain access to the server" the cybersecurity company said.

I'm a SysAid customer. Gulp. What should I do?

  • Update to 23.3.36, which includes the patche for the zero day.
  • Conduct a thorough compromise assessment of your SysAid server to look for any indicators mentioned here.
  • Review any credentials or other information that would have been available to someone with full access to your SysAid server and check any relevant activity logs for suspicious behavior.

Profero said: “The vulnerability was exploited by a group known as DEV-0950 (Lace Tempest)... The attacker uploaded a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service. The full directory path was C:\Program Files\SysAidServer\tomcat\webapps\usersfiles.

"The WebShell provided the attacker with unauthorized access and control over the affected system. Subsequently, the attacker utilized a PowerShell script, deployed through the WebShell, to execute a malware loader named user.exe on the compromised host, which was used to load the GraceWire trojan, injecting it into one of the following processes:

  • spoolsv.exe
  • msiexec.exe
  • svchost.exe

"After this initial access and the deployment of the malware, the attacker utilized a second PowerShell script to erase evidence associated with the attacker’s actions from the disk and the SysAid on-prem server web logs."

Huntress Labs, Rapid7, and Profero, which discovered the vulnerability, have all shared details on the IT service management company’s bug. Microsoft added: "Organizations using SysAid should apply the patch and look for any signs of exploitation prior to patching, as Lace Tempest will likely use their access to exfiltrate data and deploy Clop ransomware."