Microsoft SysAid Zero-Day Flaw: Clop Ransomware Attacks Exploited Knowing how potential threats and vulnerabilities can impact your organization is important as an IT professional. Recently, cybercriminals have exploited a zero-day vulnerability in SysAid, a widely used service management software. This vulnerability allows unauthorized access to corporate servers, leading to data theft and the deployment of […]
Knowing how potential threats and vulnerabilities can impact your organization is important as an IT professional. Recently, cybercriminals have exploited a zero-day vulnerability in SysAid, a widely used service management software. This vulnerability allows unauthorized access to corporate servers, leading to data theft and the deployment of the notorious Clop ransomware.
SysAid, a comprehensive IT service management solution that provides various tools for managing IT services, has become the latest target for the Clop ransomware group. Known for exploiting zero-day vulnerabilities in software such as MOVEit Transfer, GoAnywhere MFT, and Accellion FTA, the group continues to pose a serious threat. Microsoft’s Threat Intelligence team discovered the vulnerability, CVE-2023-47246, being used in the wild and took action to alert SysAid of the issue.
SysAid recently disclosed a path traversal vulnerability (CVE-2023-47246) that allowed unauthorized code execution. The threat actor took advantage of this zero-day flaw to upload a Web Application Resource (WAR) archive containing a webshell into the webroot of SysAid’s Tomcat web service.
Once the webshell was in place, the attackers executed additional PowerShell scripts and loaded the GraceWire malware. The malware was then injected into legitimate processes, like spoolsv.exe, msiexec.exe, and svchost.exe. Interestingly, the malware loader (‘user.exe’) specifically checks for the absence of Sophos security products on the compromised system.
Following data exfiltration, the threat actor attempted to cover their tracks by utilizing a PowerShell script that deleted traces of their activity logs.
Moreover, Microsoft identified Lace Tempest deploying extra scripts that fetched a Cobalt Strike listener on the compromised hosts. The nature of these attacks demonstrates a highly sophisticated and carefully executed operation, making it crucial for organizations to regularly update and secure their systems to stay protected against such threats.
After becoming aware of the vulnerability, SysAid quickly developed a patch for CVE-2023-47246, now available in a software update. All SysAid users are strongly advised to upgrade to version 23.3.36 or later.
As a system administrator, you should also examine servers for signs of compromise by performing the following steps:
SysAid has offered indicators of compromise that may assist in detecting or thwarting the intrusion, including filenames and hashes, IP addresses, file paths utilized in the attack, and commands employed by the threat actor to download malware or erase evidence of initial access.