SysAid tells customers to patch immediately after Microsoft flags ransomware campaign exploiting new zero-day flaw

News
By published

Lace Tempest was spotted dropping Cl0p ransomware

security
(Image credit: Shutterstock / binarydesign)

SysAid has urged its customers to deploy the latest patch and pay close attention to the traffic in and out of their servers, as hackers were spotted abusing a zero-day flaw to drop ransomware.

In a blog post, CTO of SysAid and Profero Incident Response Team Sasha Shapirov noted the company had discovered a “potential vulnerability” on November 2, after being tipped off by Microsoft

Further investigation determined that the vulnerability was a zero-day flaw in the SysAid on-premises software. The flaw is tracked as CVE-2023-47246 and is described as a path traversal vulnerability that allows for remote code execution. 

Reader Offer: $50 Amazon gift card with demo

Reader Offer: $50 Amazon gift card with demo
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?

Staying safe

Microsoft’s Threat Intelligence Team identified Lace Tempest (AKA DEV-0959) as the group abusing the flaw, apparently to drop the Cl0p ransomware encryptor. This is a multi-stage attack that starts with the upload of a WAR archive holding a WebShell and other payloads, into the webroot of the SysAid Tomcat web service. It ends with ransomware and a Cobalt Strike beacon, for good measure.

To keep their endpoints secure, SysAid urges all users to update their on-premise software to version 23.3.36, which remediates the path traversal flaw and prevents the ransomware from being installed. Furthermore, users should “conduct a comprehensive compromise assessment” of their network to look for further indicators of compromise.

More details about the indicators and how to spot Lace Tempest can be found on this link.

SysAid is an extensive IT service management (ITSM) product suite that helps businesses manage different IT services in their organization. Cl0p, on the other hand, is an infamous ransomware threat actor likely from Russia. It gained world fame last summer after it successfully infiltrated the MOVEit managed file transfer service and compromised sensitive data belonging to thousands of companies and millions of individuals. 

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A person at a laptop with a cybersecure lock symbol floating above it.
Hackers are still using old Ivanti bugs to break into networks
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
59 organizations reportedly victim to breaches caused by Cleo software bug
Representational image depecting cybersecurity protection
Ivanti reveals major security update, so make sure you're protected
Representational image depecting cybersecurity protection
Hackers are breaking SonicWall products to target business networks
Avast cybersecurity
Hackers are hijacking government software to access sensitive servers
Representational image of a cybercriminal
Microsoft discovers five potentially damaging attacks against its own software
Latest in Security
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Veeam urges users to patch security issues which could allow backup hacks
UK Prime Minister Sir Kier Starmer
The UK releases timeline for migration to post-quantum cryptography
Representational image depecting cybersecurity protection
Cisco smart licensing system sees critical security flaws exploited
Latest in News
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 23 (game #1154)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Sunday, March 23 (game #385)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Sunday, March 23 (game #651)
Google Pixel 9 Pro Fold main display opened
Apple is rumored to be prioritizing battery life on the foldable iPhone – which could also feature a liquid metal hinge for added durability
Google Pixel 9
The Google Pixel 10 just showed up in Android code – and may come with a useful speed boost
L-mount alliance
Sirui joins L-Mount Alliance to deliver its superb budget lenses for Leica, DJI, Sigma and Panasonic cameras
More about security
Hacker silhouette working on a laptop with North Korean flag on the background

North Korea unveils new military unit targeting AI attacks

Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)

This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Compal Adapt X modular laptop

One of the largest laptop manufacturers releases concept pictures of Adapt X, a modular laptop in the same vein as Framework
See more latest
Most Popular
Compal Adapt X modular laptop
One of the largest laptop manufacturers releases concept pictures of Adapt X, a modular laptop in the same vein as Framework
Anycubic foldable portable 3D printer
Anycubic may launch this gorgeous foldable portable 3D printer any day soon, and I can't wait to try it out
HP Fury G1i 18"
'2-inches gets you 30% more screen': HP is pitching 18-inch laptop as the best new thing in tech
Framework Desktop
Framework's Desktop is selling like hot cakes; Ryzen Max+ 395, Max 383 batches are sold out with next shipment in Q3
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 23 (game #1154)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Sunday, March 23 (game #651)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Sunday, March 23 (game #385)
Google Pixel 9 Pro Fold main display opened
Apple is rumored to be prioritizing battery life on the foldable iPhone – which could also feature a liquid metal hinge for added durability
A person using a smartphone with an ecommerce website showing on a laptop.
Consumers are warming up to AI assistants, survey finds - 1/3 of us would allow AI to make purchases
A bloodied Mark staring at an off-screen Helly as Gemma screams at him from behind an exit door in Severance season 2 episode 10
Severance season 3: everything we know so far about the wildly popular Apple TV+ show's next chapter