最后更新于2023年11月10日星期五19:25:41 GMT
On November 8, 2023, IT service management company SysAid 披露cve - 2023 - 47426, a zero-day path traversal vulnerability affecting on-premise SysAid servers. According to Microsoft’s threat intelligence team, it has been exploited in the wild by DEV-0950 (Lace Tempest) in “limited attacks.“在一个 社交媒体线索 发表于11月8日晚上, 微软强调 that Lace Tempest distributes the Cl0p ransomware, and that exploitation of CVE-2023-47246 is likely to result in ransomware deployment and/or data exfiltration. Lace Tempest is the same threat actor who perpetrated the MOVEit转移 and GoAnywhere管辖 勒索事件 今年早些时候.
注意: Rapid7 is investigating evidence of compromise related to this vulnerability in at least one customer environment.
SysAid的 咨询 on CVE-2023-47246 includes the results of an investigation by Profero, who 发现漏洞; the 咨询 says the attacker “uploaded a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service.” Post-exploitation behavior included deployment of MeshAgent remote administration tooling and GraceWire malware. There are extensive details about the attack chain in the vendor 咨询, 同时还有强有力的妥协迹象. 也是科技公司Elastic的一名员工 报道 the evening of November 8 that Elastic had observed exploitation in the wild as far back as October 30.
SysAid的 website claims that the company has upwards of 5,000客户, including a number of large corporations whose logos adorn SysAid的客户页面. Shodan都在找 特定的CSS文件 或者是 的图标 both return only 416 instances of SysAid exposed to the public internet. (Note that “exposed” does not necessarily imply that those instances are vulnerable.)
缓解指导
修复了CVE-2023-47246的版本 23.3.36 SysAid服务器. Given the potential for ransomware and 勒索事件, organizations with on-premise SysAid servers should apply the vendor-supplied patches 在紧急情况下, invoking incident response procedures if possible, and ensure the server is not exposed to the public internet. We also strongly recommend reviewing the indicators of compromise in SysAid的 咨询 and examining environments for suspicious activity, 不过值得注意的是, the 咨询 says the adversaries may cover their tracks by cleaning up logs and artifacts on disk.
妥协指标
SysAid has an extensive list of IOCs and observed attacker behavior in their 咨询. 而不是在这里复制, we urge organizations to use that vendor 咨询 as their starting source of truth for threat hunting: http://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
Rapid7有一个 迅猛龙的工件 available to help organizations identify post-exploitation activity related to this zero-day vulnerability:
- Yara.过程: Targets observed malware and Cobalt Strike via process YARA
- Disk.Ntfs: 通过目标已知的磁盘ioc
窗户.ntfs.mft - 法医.Usn: 目标已知的磁盘IOCs通过USN日志
- Evtx.后卫: 搜索es Defender event logs for evidence of associated alerts
- Evtx.NetworkIOC: Targets known strings of network IOCs in firewall, Sysmon and PowerShell logs
Rapid7客户
InsightVM and Nexpose customers can assess their exposure to CVE-2023-47246 with an authenticated 窗户 check available in today’s (November 9) content release.
InsightIDR and 管理检测和响应 customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on post-exploitation behavior related to this zero-day vulnerability:
- Attacker Technique - SpoolSV Spawns CMD or PowerShell
- 攻击者技术-可能的进程注入
- Attacker Technique - PowerShell Download Cradles
- Attacker Tool - CobaltStrike PowerShell Commands
- Suspicious Network Connection - Destination Address in Cobalt Strike C2 List
更新
2023年11月9日: Updated to note that Profero conducted the investigation that 识别了零日漏洞. Microsoft is credited with detecting exploitation in the wild.
Updated to note that Rapid7 is investigating evidence of compromise related to this vulnerability in at least one customer environment.
