SysAid has urged its customers to deploy the latest patch and pay close attention to traffic in and out of their servers, as hackers were spotted taking advantage of a zero-day flaw to drop ransomware.
In a blog postCTO of SysAid and Profero Incident Response Team Sasha Shapirov noted that the company discovered a “potential vulnerability” on November 2 after being tipped off by Microsoft.
Further investigation revealed that the vulnerability was a zero-day flaw in SysAid’s on-premises software. The flaw is tracked as CVE-2023-47246 and is described as a path traversal vulnerability that allows remote code execution.
Stay safe
Microsoft’s Threat Intelligence team has identified Lace Tempest (AKA DEV-0959) as the group that exploited the flaw, apparently to drop the Cl0p ransomware encryptor. This is a multi-stage attack that starts by uploading a WAR archive containing a WebShell and other payloads to the web root of the SysAid Tomcat web service. It ends with ransomware and a Cobalt Strike beacon, for good measure.
To keep their endpoints safe, SysAid urges all users to update their local software to version 23.3.36, which will fix the path traversal error and prevent the ransomware from being installed. Additionally, users should “conduct a comprehensive compromise assessment of their network” to look for further indicators of compromise.
More details about the indicators and how to recognize Lace Tempest can be found at this link.
SysAid is a comprehensive IT service management (ITSM) product suite that allows companies to manage various IT services across their organization. Cl0p, on the other hand, is a notorious ransomware threat actor, likely from Russia. It rose to global fame last summer after successfully infiltrating the MOVEit-operated file transfer service and compromising sensitive data belonging to thousands of companies and millions of individuals.