Security News > 2023 > November > MOVEit hackers leverage new zero-day bug to breach organizations (CVE-2023-47246)
A critical zero-day vulnerability in the SysAid IT support and management software solution is being exploited by Lace Tempest, a ransomware affiliate known for deploying Cl0p ransomware.
The group has also similarly leveraged zero days in the Accellion file transfer appliance and Fortra's GoAnywhere file transfer solution.
According to Shapirov, the attackers exploited the vulnerability to upload a WAR archive containing a webshell and other payloads into the webroot firectory of the SysAid Tomcat web service.
Finally, the attackers used a second PowerShell script to wipe evidence of their activity from the disk and the SysAid on-prem server web logs.
"Look for unauthorized access attempts or suspicious file uploads within the webroot directory of the SysAid Tomcat web service. Look for unusual files within the SysAid webroot directory, especially any WAR files, ZIP files, or JSP files that contain file timestamps that differ from the rest of the SysAid installation files. If SysAid is behind a proxy or a WAF, check the access logs from these services for suspicious POST requests to the server for signs of exploitation," Shapirov advised.
"Review any credentials or other information that would have been available to someone with full access to your SysAid server and check any relevant activity logs for suspicious behavior," he added.
News URL
https://www.helpnetsecurity.com/2023/11/09/exploited-cve-2023-47246/
Related news
- ArcaneDoor hackers exploit Cisco zero-days to breach govt networks (source)
- Chinese Earth Krahang hackers breach 70 orgs in 23 countries (source)
- Russia Hackers Using TinyTurla-NG to Breach European NGO's Systems (source)
- Hackers earn $1,132,500 for 29 zero-days at Pwn2Own Vancouver (source)
- Hackers exploit Ray framework flaw to breach servers, hijack resources (source)
- Finland confirms APT31 hackers behind 2021 parliament breach (source)
- U.S. Cyber Safety Board Slams Microsoft Over Breach by China-Based Hackers (source)
- Hackers Deploy Python Backdoor in Palo Alto Zero-Day Attack (source)
- Hacker claims Giant Tiger data breach, leaks 2.8M records online (source)
- MITRE says state hackers breached its network via Ivanti zero-days (source)