UPDATED 18:14 EST / NOVEMBER 09 2023


Microsoft warns SysAid vulnerability is being used to deploy Clop ransomware

Companies using system management software from information technology service management company SysAid Technologies Ltd. are being warned of a vulnerability actively being exploited to deploy Clop ransomware.

The warning came from Microsoft Corp.’s Threat Intelligence team, which wrote on X that it had discovered the exploitation of a zero-day vulnerability in SysAid’s IT support software that’s being exploited by the Lace Tempest ransomware gang.

Lace Tempest first emerged earlier this year from its attacks involving the MOVEit Transfer and GoAnywhere MFT. This group has been characterized by its sophisticated attack methods, often exploiting zero-day vulnerabilities to infiltrate organizations’ systems to deploy ransomware and exfiltrate sensitive data.

According to Microsoft, after exploiting the vulnerability, Lace Tempest issued commands via the SysAid software to deliver a malware loader for the Gracewire malware. This is typically followed by human-operated activity, including lateral movement, data theft and ransomware deployment.

In a blog post, SysAid said that the vulnerability, tracked as CVE-2023-47246, was first discovered on Nov. 2 and is a path traversal vulnerability leading to code execution within the SysAid on-prem software. The attackers are said to be uploading a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service.

A patch is available for the vulnerability and SysAid is asking all customers to ensure that their systems are updated to version 23.3.36, which includes the patches for the exposure. Customers are also encouraged to conduct a thorough compromise assessment of their SysAid server, review any credentials or other information that would have been available to someone with full access to their SysAid server and check any relevant activity logs for suspicious behavior.

Exactly how many companies using SysAid software may have been affected is unclear. Rapid7 Inc., which also provides further information on the vulnerability and mitigation guidance, notes that SysAid claims to have over 5,000 customers. Rapid7 also said it’s investigating evidence of compromise related to the vulnerability with at least one of its customers.

“Given the scale and impact of the MOVEit breach, which was considered one of the largest in recent history, the potential for the SysAid vulnerability to reach similar levels of disruption is not inconceivable, though several factors would influence this outcome,” Craig Jones, vice president of security operations at managed detection and response provider Ontinue Inc., told SiliconANGLE.

“The MOVEit breach, exploited by the Clop ransomware group, impacted over 1,000 organizations and more than 60 million individuals,” Jones explained. “Comparatively, SysAid claims more than 5,000 customers across various industries globally. The potential damage from the SysAid vulnerability would depend on factors such as how widespread the exploitation is, how quickly the patch is applied and the sensitivity of the accessed data.”

Paul Laudanski, director of security research at SAP and Oracle security provider Onapsis Inc., noted that the attack serves as a huge wakeup call for companies that lack proper threat detection capabilities, understanding and mapping of their end-to-end ecosystem.

“Organizations must ensure they are running web application firewalls that can be trained and configured to look out for path traversal, in addition to monitoring for activity or evidence of web shell execution and engagement,” Laudanski said. “Internal logs should be capturing command line execution to create alerts on suspicious forks or code execution.”

Image: SysAid

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy