November 9, 2023 at 05:30AM
SysAid IT service management software has been targeted by a zero-day vulnerability used by a ransomware operation. Microsoft’s threat intelligence team discovered the exploitation and alerted SysAid, who released a patch on November 8. The vulnerability enables arbitrary code execution and was used by the group Lace Tempest, also linked to the Cl0p ransomware attacks. The hackers used the software to install remote administration tools and malware and performed activities such as lateral movement and data theft.
Key takeaways from the meeting notes:
1. Organizations using SysAid IT service management software have been warned about a zero-day vulnerability that has been exploited by affiliates of a notorious ransomware operation.
2. The vulnerability, tracked as CVE-2023-47246, is a path traversal issue in SysAid’s on-premises software that leads to arbitrary code execution.
3. Microsoft’s threat intelligence team discovered the exploitation and notified SysAid about the vulnerability and ongoing attacks.
4. SysAid released version 23.3.36 on November 8, which includes a patch for the zero-day vulnerability.
5. SysAid has provided technical information on the attacks, including indicators of compromise (IoCs), and recommendations for potentially impacted customers.
6. Microsoft has identified the threat actor as Lace Tempest, also known as DEV-0950, whose activities overlap with the groups named FIN11 and TA505, all known for deploying the Cl0p ransomware.
7. Previously, Lace Tempest was linked to the MOVEit Transfer zero-day exploitation that affected more than 2,500 organizations.
8. In the SysAid zero-day attacks, the hackers used the IT support software to deliver the MeshAgent remote administration tool and the GraceWire malware.
9. The hackers also deployed a PowerShell script to erase evidence from targeted servers.
10. This attack highlights the importance of promptly patching vulnerabilities and taking proactive steps to enhance cybersecurity defenses.