Rewterz Threat Alert – Clop Ransomware Deployed Using SysAid Zero-Day Vulnerability – Active IOCs

Severity

High

Analysis Summary

Recently threat actors are deploying Clop ransomware by exploiting a zero-day flaw in SysAid, a service management software, in order to gain unauthorized access to corporate servers and use it for stealing sensitive data.

SysAid is an IT Service Management (ITSM) solution capable of providing a number of tools that help in the management of various IT services in an organization. The Clop ransomware is known for exploiting zero-day flaws in commonly-used software, like the recent MOVEit Transfer and GoAnywhere MFT.

This zero-day vulnerability is tracked as CVE-2023-47246 and it was discovered on 2^nd November after it was exploited by threat actors to hack into SysAid’s on-premise servers. Microsoft’s cybersecurity team was the first one to discover the security issue being abused in the wild and immediately alerted SysAid. They also linked the exploit to a threat actor tracked as Lace Tempest (aka Fin11 and TA505) who used it to deploy the Clop ransomware.

SysAid published a report detailing about the CVE-2023-47246 vulnerability that it leads to unauthorized code execution. The attacker leveraged the zero-day vulnerability to upload a WAR (Web Application Resource) archive that contained a web shell into the web root of the SysAid Tomcat web service.

This permitted the hackers to execute more PowerShell scripts and load the GraceWire malware, and injected it into a legitimate process. The malware loader is also capable of checking running processes to make sure that no security products are present on the infected device.

After it succeeded in exfiltrating the data, the attackers tried to remove their tracks by utilizing another PowerShell script that could delete activity logs. Lace Tempest also deployed additional scripts to fetch a Cobalt Striker listener onto the compromised systems.

SysAid was quick to patch the vulnerability after getting to know about its existence, and it’s now available publicly in a software update. All users are highly recommended to upgrade their software to version 23.3.36 or later.

Impact

• Sensitive Data Theft
• Code Execution
• Financial Loss

Indicators of Compromise

MD5

• c9d5934e996e50b1417ac5ba5fb87103

SHA-256

• b5acf14cdac40be590318dee95425d0746e85b1b7b1cbd14da66f21f2522bf4d

SHA-1

• 30d083734c44641f35079498faa1bfffdad37434

IP

• 81.19.138.52
• 45.182.189.100
• 45.155.37.105

Remediation

• Upgrade to the latest version of On-Premise, available from the SysAid Website.
• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• It is important for organizations to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.