SysAid has patched a zero-day vulnerability that could allow attackers to exfiltrate data and launch ransomware.
On Nov. 8, SysAid, an Israel-based IT service management software company, reported a potentially exploited zero-day vulnerability in their on-premises software. Users of their on-premises server installations were encouraged to run version 23.3.36, which contained a fix. Microsoft Threat Intelligence analyzed the threat and found that Lace Tempest had exploited it.
The vulnerability was exploited by the threat group Lace Tempest, which distributes the Clop malware, Microsoft Threat Intelligence said on Nov. 8 on X (formerly Twitter). The Microsoft security experts wrote, in part, “…Lace Tempest will likely use their access to exfiltrate data and deploy Clop ransomware.”
The ultimate goal of attacks like this is often lateral movement through a system, data theft and ransomware.
Jump to:
After discovering the potential vulnerability on Nov. 2, SysAid called in Israel-based rapid incident response company Profero, which discovered the details of the vulnerability. Profero found that the attacker used a path traversal vulnerability to upload a WAR archive containing a WebShell and other payloads into the SysAid Tomcat web service’s webroot. From there, Lace Tempest delivered a malware loader for the Gracewire malware.
This vulnerability was recorded by MITRE as CVE-2023-47246.
SysAid provided a list of indicators of compromise and steps to take in its blog post about this vulnerability. In order to protect your organization against this malware, SysAid emphasized the importance of downloading the patch. Organizations should review what information may have been stored within their SysAid server that might be appealing to attackers and check its activity logs for unauthorized behavior. Other recommended actions include updating SysAid systems and conducting a thorough compromise assessment of your SysAid server.
The Clop ransomware delivered by attackers to SysAid on-prem software through the path traversal vulnerability first appeared in 2019. Clop malware is associated with a Russian-aligned threat actor group known by the same name, which Microsoft says has “overlaps” with Lace Tempest. In June 2023, Microsoft found Lace Tempest running the extortion site that uses Clop malware.
SEE: What will cybersecurity look like next year? Google Cloud’s cybersecurity trends to watch in 2024 include generative AI-based attacks (TechRepublic)
The Clop ransomware group has claimed responsibility for several major attacks in 2023. In June, they threatened to expose data from British Airways, BBC and the British retailer Boots. They were also allegedly behind the MOVEit Transfer ransomware attack in June.