On November 2, 2023, SysAid was notified by Microsoft of a zero-day path traversal vulnerability allowing for remote code execution, which affects their on-premises ITSM solution. In the investigation conducted by SysAid, it was determined that the vulnerability was being actively exploited by a ransomware affiliate group known as Lace Tempest (DEV-0950), a group known for deploying the CL0P ransomware payload. SysAid proceeded to issue a security advisory on November 8, 2023 regarding the vulnerability, which was designated as CVE-2023-47246.
In the investigation of this campaign by SysAid, threat actors leveraged this vulnerability to deploy a WAR archive containing a webshell to a vulnerable server. Subsequently, the threat actors were observed injecting the GraceWire trojan into a system process. They were also observed tampering with application logs to cover their tracks.
Arctic Wolf has detections in place to detect common post-compromise activities involved in ransomware campaigns, such as the unusual PowerShell activity described here, as well as detections for the specific indicators of compromise that have been reported. Arctic Wolf will alert observed malicious activity associated with this campaign as part of the Managed Detection and Response service.
Because this vulnerability is being actively exploited by a ransomware group, Arctic Wolf strongly recommends updating to a fixed version of SysAid as soon as possible.
Recommendations for CVE-2023-47246
Recommendation: Upgrade to a fixed version of SysAid
For any customers running the on-premises version of SysAid, the company recommends upgrading to a fixed version as soon as possible, as outlined in the table below.
| Product | Affected Version | Fixed Version |
| SysAid On-prem | Versions prior to 23.3.36 | 23.3.36 |
Please follow your organization’s patching and testing guidelines to avoid any operational impact.
