SysAid tells customers to patch immediately after Microsoft flags ransomware campaign exploiting new zero-day flaw

(Image credit: Shutterstock / binarydesign)

SysAid has urged its customers to deploy the latest patch and pay close attention to the traffic in and out of their servers, as hackers were spotted abusing a zero-day flaw to drop ransomware.

In a blog post, CTO of SysAid and Profero Incident Response Team Sasha Shapirov noted the company had discovered a “potential vulnerability” on November 2, after being tipped off by Microsoft

Further investigation determined that the vulnerability was a zero-day flaw in the SysAid on-premises software. The flaw is tracked as CVE-2023-47246 and is described as a path traversal vulnerability that allows for remote code execution. 

Reader Offer: $50 Amazon gift card with demo

Reader Offer: $50 Amazon gift card with demo
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?

Staying safe

Microsoft’s Threat Intelligence Team identified Lace Tempest (AKA DEV-0959) as the group abusing the flaw, apparently to drop the Cl0p ransomware encryptor. This is a multi-stage attack that starts with the upload of a WAR archive holding a WebShell and other payloads, into the webroot of the SysAid Tomcat web service. It ends with ransomware and a Cobalt Strike beacon, for good measure.

To keep their endpoints secure, SysAid urges all users to update their on-premise software to version 23.3.36, which remediates the path traversal flaw and prevents the ransomware from being installed. Furthermore, users should “conduct a comprehensive compromise assessment” of their network to look for further indicators of compromise.

More details about the indicators and how to spot Lace Tempest can be found on this link.

SysAid is an extensive IT service management (ITSM) product suite that helps businesses manage different IT services in their organization. Cl0p, on the other hand, is an infamous ransomware threat actor likely from Russia. It gained world fame last summer after it successfully infiltrated the MOVEit managed file transfer service and compromised sensitive data belonging to thousands of companies and millions of individuals. 

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.