MOVEit hackers leverage new zeroday bug to breach organizations CVE202347246 Help Net Security
pA critical zeroday vulnerability CVE202347246 in the SysAid IT support and management software solution is being exploited by Lace Tempest a ransomware affiliate known for deploying Cl0p ransomwareppppLace Tempest has previously exploited zeroday vulnerability CVE202334362 in Progress Softwares MOVEit Transfer installations to steal data from many enterprises and public sector organizationsppThe group has also similarly leveraged zero days in the Accellion file transfer appliance and Fortras GoAnywhere file transfer solutionppThe limited attacks were first spotted by the Microsoft Threat Intelligence team and they notified Israeli software maker SysAid about them on November 2 2023 ppWe immediately initiated our incident response protocol and began proactively communicating with our onpremise customers to ensure they could implement a mitigation solution we had identified SysAids CTO Sasha Shapirov noted ppWe engaged Profero a cyber security incident response company to assist us in our investigation The investigation determined that there was a zeroday vulnerability in the SysAid onpremises softwareppThe exploited zero day CVE202347246 is a path traversal vulnerability that allows threat actors to gain unauthorized access to affected systems and execute arbitrary code ppAccording to Shapirov the attackers exploited the vulnerability to upload a WAR archive containing a webshell and other payloads into the webroot firectory of the SysAid Tomcat web serviceppThe webshell provided the attacker with unauthorized access and control over the affected system Subsequently the attacker utilized a PowerShell script deployed through the webshell to execute a malware loader named userexe on the compromised hostppThe latter injected the GraceWire trojan into various processes spoolsvexe msiexecexe and svchostexeppThis is typically followed by humanoperated activity including lateral movement data theft and ransomware deployment the Microsoft Threat Intelligence team notedppFinally the attackers used a second PowerShell script to wipe evidence of their activity from the disk and the SysAid onprem server web logsppThe company advised customers using a SysAid onprem server to update their systems to the version v23336 that patches CVE202347246 and to check for evidence of compromise they providedppLook for unauthorized access attempts or suspicious file uploads within the webroot directory of the SysAid Tomcat web service Look for unusual files within the SysAid webroot directory especially any WAR files ZIP files or JSP files that contain file timestamps that differ from the rest of the SysAid installation files If SysAid is behind a proxy or a WAF check the access logs from these services for suspicious POST requests to the server for signs of exploitation Shapirov advisedppEnterprise defenders should also be on the lookout for unauthorized or suspicious webshells abnormal PowerShell script execution activities and check for unusual network connections unexpected process behavior or abnormal CPUmemory usage in the processes injected with the GraceWire loaderppReview any credentials or other information that would have been available to someone with full access to your SysAid server and check any relevant activity logs for suspicious behavior he addedppUPDATE November 10 2023 0915 am ETppHuntress researchers say theyve created a fully weaponized proof of concept exploit thanks to the indicators of compromised shared by SysAid but they will not publish it yetppTheyve also discovered one compromised SysAid instance across their partner base showing those same IoCs and found that it has been compromised on October 30p