MOVEit Hackers Pivot to SysAid Zero-Day in Ransomware Attacks
Move over MOVEit, there’s a new zero-day being exploited to deploy Cl0p ransomware into enterprise networks. This time, the same threat actors were caught leveraging a flaw in on-premises deployments of SysAid IT Support software.
Microsoft announced the flaw, tracked under CVE-2023-47246, on Nov. 8, adding that SysAid has already issued a patch. SysAid CTO Sasha Shapirov explained in a blog post published on the same day that the company was made aware of the vulnerability on Nov. 2, which triggered an immediate investigation and remediation effort.
SysAid offers IT help desk and support service automation for organizations across a variety of data-sensitive sectors, including healthcare, human resources, higher education, and manufacturing. The company did not immediately respond to requests to comment about the number of potential or identified victims of cyberattack.
Microsoft’s Threat Intelligence Team determined that the threat actor behind the exploit was Lace Tempest, also known by the designation DEV-0950, which is known for deploying Cl0p ransomware for their extortion campaigns. The group used the same ransomware strain against the MOVEit zero-day vulnerability in a blitz of attacks that compromised hundreds of organizations.
“The investigation identified a previously unknown path traversal vulnerability leading to code execution within the SysAid on-prem software,” Shapirov explained. “The attacker uploaded a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat Web service.”
The SysAid exec recommended enterprise teams running on-premises versions of SysAid should crack open the incident response playbook and keep patches up-to-date as they become available. The post also provided detailed indicators of compromise (IoCs).
“We urge all customers with SysAid on-prem server installations to ensure that your SysAid systems are updated to version 23.3.36, which remediates the identified vulnerability, and conducts a comprehensive compromise assessment of your network to look for any indicators further discussed below,” Shapirov added. “Should you identify any indicators, take immediate action and follow your incident-response protocols.”
