Security News > 2023 > November > MOVEit hackers leverage new zero-day bug to breach organizations (CVE-2023-47246)

A critical zero-day vulnerability in the SysAid IT support and management software solution is being exploited by Lace Tempest, a ransomware affiliate known for deploying Cl0p ransomware.

The group has also similarly leveraged zero days in the Accellion file transfer appliance and Fortra's GoAnywhere file transfer solution.

According to Shapirov, the attackers exploited the vulnerability to upload a WAR archive containing a webshell and other payloads into the webroot firectory of the SysAid Tomcat web service.

Finally, the attackers used a second PowerShell script to wipe evidence of their activity from the disk and the SysAid on-prem server web logs.

"Look for unauthorized access attempts or suspicious file uploads within the webroot directory of the SysAid Tomcat web service. Look for unusual files within the SysAid webroot directory, especially any WAR files, ZIP files, or JSP files that contain file timestamps that differ from the rest of the SysAid installation files. If SysAid is behind a proxy or a WAF, check the access logs from these services for suspicious POST requests to the server for signs of exploitation," Shapirov advised.

"Review any credentials or other information that would have been available to someone with full access to your SysAid server and check any relevant activity logs for suspicious behavior," he added.

News URL

https://www.helpnetsecurity.com/2023/11/09/exploited-cve-2023-47246/