Ransomware Group Exploits SysAid Zero-Day Vulnerability

The ransomware group, Cl0p, has taken advantage of the CVE-2023-47246 zero-day vulnerability in SysAid's IT service management software. The article titled "SysAid Zero-Day Vulnerability

Nov 9, 2023 - 08:00
  Source
 0  31
Ransomware Group Exploits SysAid Zero-Day Vulnerability

SysAid IT Service Management Software Hit by Zero-Day Vulnerability Exploited in Ransomware Attacks

SysAid, a provider of IT service management software, has issued a critical alert to users regarding a zero-day vulnerability within its on-premises systems that has been actively exploited by cybercriminals affiliated with a well-known ransomware syndicate. This vulnerability, cataloged as CVE-2023-47246, was first detected by Microsoft's threat intelligence unit, prompting an immediate notification to SysAid regarding the security breach and subsequent exploitation.

This security flaw, characterized as a path traversal vulnerability, has been found to enable attackers to execute arbitrary code on compromised systems. SysAid was informed about the issue on November 2 and by November 8, released an updated version of their software, 23.3.36, designed to address and rectify the vulnerability.

SysAid has disseminated detailed information regarding the assault, including indicators of compromise and strategic recommendations for potentially affected customers to secure their systems against these threats.

Microsoft's security experts have identified the attackers exploiting this vulnerability as the Lace Tempest group, also tracked under the aliases DEV-0950, FIN11, and TA505, entities notorious for their deployment of Cl0p ransomware in various cyber campaigns.

Lace Tempest was previously implicated by Microsoft in the extensive MOVEit Transfer zero-day attacks, which compromised the data exchange systems of over 2,500 organizations globally. In those incidents, attackers exploited existing software vulnerabilities to hijack sensitive data and initiate extortion schemes.

In the recent wave of attacks targeting SysAid's zero-day, assailants have reportedly used the software's IT support framework to deploy MeshAgent—a tool for remote administration—and the malicious GraceWire software, setting the stage for subsequent invasive operations such as lateral movement within networks, data theft, and ransomware deployment.

SysAid also reported that the attackers attempted to obscure their digital footprints by implementing a PowerShell script designed to delete traces of the intrusion on the compromised servers.