Incident Details
An urgent vulnerability known as CVE-2023-47246 has been discovered in the SysAid IT support and management software. This flaw has been targeted by Lace Tempest, an affiliate associated with the deployment of Cl0p ransomware. Microsoft Threat Intelligence team was the first to detect the (limited) exploitation of this vulnerability and subsequently informed the Israeli software developer, SysAid, on November 2, 2023. In response, SysAid’s CTO Sasha Shapirov stated that they have promptly activated their incident response procedure and have started a proactive communication with their on-premise clients to assist them in applying the mitigation solution they have developed.
Incident
How Did the Breach Happen?
A security breach happened because of a severe zero-day vulnerability identified as CVE-2023-47246 in the SysAid IT support and management software solution. Attackers, particularly Lace Tempest, took advantage of this vulnerability to illicitly enter impacted systems and run unauthorized commands. By placing a WAR archive with a webshell and additional payloads into the webroot directory of the SysAid Tomcat web service, they managed to gain unauthorized entry and manipulate the impacted system.
What Data has been Compromised?
During this security breach, sensitive information was accessed by unauthorized individuals. The compromised data involves different system processes like spoolsv.exe, msiexec.exe, and svchost.exe, which were infected with the GraceWire trojan. The attackers were involved in manual operations such as moving laterally within the network, stealing data, and deploying ransomware.
Why Did the company's Security Measures Fail?
Security measures implemented by the company were compromised by a previously undiscovered zero-day vulnerability (CVE-2023-47246) found in the SysAid on-premises software. Due to its unfamiliarity, the existing security protocols were ineffective in identifying and stopping the security breach.
What Immediate Impact Did the Breach Have on the company?
The company's immediate response to the breach involved disruptions to regular operations, compromised data, the risk of data theft, and the introduction of ransomware by the perpetrators. In response, the company activated its incident response plan and engaged with local customers to swiftly address the issue and apply mitigation measures.
How could this have been prevented?
To prevent this breach, it was essential to quickly update the SysAid on-premises software to fix the zero-day vulnerability (CVE-2023-47246) as soon as it was identified. Furthermore, enhancing security protocols by incorporating intrusion detection systems and threat intelligence could aid in identifying and reducing the impact of similar cyber-attacks.
What have we learned from this data breach?
The significance of promptly addressing and fixing zero-day vulnerabilities in software has been highlighted by this data breach. It is essential for companies to establish a robust incident response plan and keep customers informed to ensure the timely application of mitigation measures. Ongoing monitoring, threat intelligence, and regular security updates are essential to reduce the likelihood of comparable security breaches.
Summary of Coverage
A significant security flaw known as a zero-day vulnerability (CVE-2023-47246) in the SysAid IT support and management software was used by an individual named Lace Tempest to breach several organizations. By exploiting this vulnerability, the attackers were able to gain unauthorized entry into systems, run code without permission, implant the GraceWire trojan into different procedures, and carry out manual actions such as stealing data and deploying ransomware. The security measures put in place by the company did not succeed in identifying or stopping the breach. Timely fixing of the vulnerability and the establishment of strong security protocols could have averted this incident. This event underscores the significance of addressing zero-day vulnerabilities, maintaining effective incident response procedures, and continuously monitoring to reduce the risk of similar breaches.