Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security IT

A SysAid Vulnerability Is Being Used To Deploy Clop Ransomware, Warns Microsoft (siliconangle.com) 19

SysAid's system management software has "a vulnerability actively being exploited to deploy Clop ransomware," according to SiliconAngle: The warning came from Microsoft Corp.'s Threat Intelligence team, which wrote on X that it had discovered the exploitation of a zero-day vulnerability in SysAid's IT support software that's being exploited by the Lace Tempest ransomware gang.

Lace Tempest first emerged earlier this year from its attacks involving the MOVEit Transfer and GoAnywhere MFT. This group has been characterized by its sophisticated attack methods, often exploiting zero-day vulnerabilities to infiltrate organizations' systems to deploy ransomware and exfiltrate sensitive data...

In a blog post, SysAid said that the vulnerability, tracked as CVE-2023-47246, was first discovered on Novembers 2 and is a path traversal vulnerability leading to code execution within the SysAid on-prem software... "Given the scale and impact of the MOVEit breach, which was considered one of the largest in recent history, the potential for the SysAid vulnerability to reach similar levels of disruption is not inconceivable, though several factors would influence this outcome," Craig Jones, vice president of security operations at managed detection and response provider Ontinue Inc., told SiliconANGLE. "The MOVEit breach, exploited by the Clop ransomware group, impacted over 1,000 organizations and more than 60 million individuals," Jones explained. "Comparatively, SysAid claims more than 5,000 customers across various industries globally. The potential damage from the SysAid vulnerability would depend on factors such as how widespread the exploitation is, how quickly the patch is applied and the sensitivity of the accessed data."

SysAid's blog post confirms the zero-day vulnerability, and says they've begun "proactively communicating with our on-premise customers to ensure they could implement a mitigation solution we had identified..."

"We urge all customers with SysAid on-prem server installations to ensure that your SysAid systems are updated to version 23.3.36, which remediates the identified vulnerability, and conduct a comprehensive compromise assessment of your network..." The attacker uploaded a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service [which] provided the attacker with unauthorized access and control over the affected system.Subsequently, the attacker utilized a PowerShell script, deployed through the WebShell, to execute a malware loader named user.exe on the compromised host, which was used to load the GraceWire trojan...

After this initial access and the deployment of the malware, the attacker utilized a second PowerShell script to erase evidence associated with the attacker's actions from the disk and the SysAid on-prem server web logs... Given the severity of the threat posed, we strongly recommend taking immediate steps according to your incident response playbook and install any patches as they become available.

This discussion has been archived. No new comments can be posted.

A SysAid Vulnerability Is Being Used To Deploy Clop Ransomware, Warns Microsoft

Comments Filter:
  • Wrote on what? (Score:4, Insightful)

    by Rosco P. Coltrane ( 209368 ) on Sunday November 12, 2023 @03:33PM (#64000447)

    The warning came from Microsoft Corp.'s Threat Intelligence team, which wrote on X

    You misspelled Twitter.

    Also, posting vuln advisories on Twitter... It looks just about as serious and professional as, I don't know... a POTUS posting stuff on Twitter.

    Way to go Microsoft.

    • by Anonymous Coward
      I think you are just used to other companies making a big song and dance about everything they find in other peoples products. The Threat intelligence group is to alert customers using MS threat intelligence, it is Sysaids job to officially notify its customers and ensure it is properly publicised.
    • by ls671 ( 1122017 )

      Also, posting vuln advisories on Twitter... It looks just about as serious and professional as, I don't know... a POTUS posting stuff on Twitter.

      Back in the days, I used to use Slashdot as my CVE vulnerabilities feed. Those days are long gone. /s

    • An actively exploited zero day by a major gang probably which probably already scanned the entire internet and dropped payloads everywhere ... of course that should be publicised on twitter ASAP.

      What other platform has better reach which they could use? Maximum reach is called for, the gang is already in, the only way to limit damage is warn people through every avenue as soon as possible.

  • My PC doesn't have System AIDS so I wouldn't know

    • Yeah, I see they are about to "deploy" a "System AID" and I'm super-not-impressed-and-don't-give-a-single-fuck. Nobody cares, M$. Now the system is on double secret probation or whatever. Big fucking whoop. I also noticed that MOVEit is capitalized and spelled like those FUCKit stickers people put on their cars. They should do a merger.

"Never ascribe to malice that which is caused by greed and ignorance." -- Cal Keegan

Working...