A SysAid Vulnerability Is Being Used To Deploy Clop Ransomware, Warns Microsoft

SysAid's system management software has 'a vulnerability actively being exploited to deploy Clop ransomware,' according to SiliconAngle:

The warning came from Microsoft Corp.'s Threat Intelligence team, which wrote on X that it had discovered the exploitation of a zero-day vulnerability in SysAid's IT support software that's being exploited by the Lace Tempest ransomware gang.

Lace Tempest first emerged earlier this year from its attacks involving the MOVEit Transfer and GoAnywhere MFT. This group has been characterized by its sophisticated attack methods, often exploiting zero-day vulnerabilities to infiltrate organizations' systems to deploy ransomware and exfiltrate sensitive data...
In a blog post, SysAid said that the vulnerability, tracked as CVE-2023-47246, was first discovered on Novembers 2 and is a path traversal vulnerability leading to code execution within the SysAid on-prem software... 'Given the scale and impact of the MOVEit breach, which was considered one of the largest in recent history, the potential for the SysAid vulnerability to reach similar levels of disruption is not inconceivable, though several factors would influence this outcome,' Craig Jones, vice president of security operations at managed detection and response provider Ontinue Inc., told SiliconANGLE. 'The MOVEit breach, exploited by the Clop ransomware group, impacted over 1,000 organizations and more than 60 million individuals,' Jones explained. 'Comparatively, SysAid claims more than 5,000 customers across various industries globally. The potential damage from the SysAid vulnerability would depend on factors such as how widespread the exploitation is, how quickly the patch is applied and the sensitivity of the accessed data.'

SysAid's blog post confirms the zero-day vulnerability, and says they've begun 'proactively communicating with our on-premise customers to ensure they could implement a mitigation solution we had identified...'

'We urge all customers with SysAid on-prem server installations to ensure that your SysAid systems are updated to version 23.3.36, which remediates the identified vulnerability, and conduct a comprehensive compromise assessment of your network...'
The attacker uploaded a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service [which] provided the attacker with unauthorized access and control over the affected system.Subsequently, the attacker utilized a PowerShell script, deployed through the WebShell, to execute a malware loader named user.exe on the compromised host, which was used to load the GraceWire trojan...
After this initial access and the deployment of the malware, the attacker utilized a second PowerShell script to erase evidence associated with the attacker's actions from the disk and the SysAid on-prem server web logs... Given the severity of the threat posed, we strongly recommend taking immediate steps according to your incident response playbook and install any patches as they become available.

Read more of this story at Slashdot.