A SysAid Vulnerability Is Being Used To Deploy Clop Ransomware, Warns Microsoft (siliconangle.com) 19
SysAid's system management software has "a vulnerability actively being exploited to deploy Clop ransomware," according to SiliconAngle:
The warning came from Microsoft Corp.'s Threat Intelligence team, which wrote on X that it had discovered the exploitation of a zero-day vulnerability in SysAid's IT support software that's being exploited by the Lace Tempest ransomware gang.
Lace Tempest first emerged earlier this year from its attacks involving the MOVEit Transfer and GoAnywhere MFT. This group has been characterized by its sophisticated attack methods, often exploiting zero-day vulnerabilities to infiltrate organizations' systems to deploy ransomware and exfiltrate sensitive data...
In a blog post, SysAid said that the vulnerability, tracked as CVE-2023-47246, was first discovered on Novembers 2 and is a path traversal vulnerability leading to code execution within the SysAid on-prem software... "Given the scale and impact of the MOVEit breach, which was considered one of the largest in recent history, the potential for the SysAid vulnerability to reach similar levels of disruption is not inconceivable, though several factors would influence this outcome," Craig Jones, vice president of security operations at managed detection and response provider Ontinue Inc., told SiliconANGLE. "The MOVEit breach, exploited by the Clop ransomware group, impacted over 1,000 organizations and more than 60 million individuals," Jones explained. "Comparatively, SysAid claims more than 5,000 customers across various industries globally. The potential damage from the SysAid vulnerability would depend on factors such as how widespread the exploitation is, how quickly the patch is applied and the sensitivity of the accessed data."
SysAid's blog post confirms the zero-day vulnerability, and says they've begun "proactively communicating with our on-premise customers to ensure they could implement a mitigation solution we had identified..."
"We urge all customers with SysAid on-prem server installations to ensure that your SysAid systems are updated to version 23.3.36, which remediates the identified vulnerability, and conduct a comprehensive compromise assessment of your network..." The attacker uploaded a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service [which] provided the attacker with unauthorized access and control over the affected system.Subsequently, the attacker utilized a PowerShell script, deployed through the WebShell, to execute a malware loader named user.exe on the compromised host, which was used to load the GraceWire trojan...
After this initial access and the deployment of the malware, the attacker utilized a second PowerShell script to erase evidence associated with the attacker's actions from the disk and the SysAid on-prem server web logs... Given the severity of the threat posed, we strongly recommend taking immediate steps according to your incident response playbook and install any patches as they become available.
Lace Tempest first emerged earlier this year from its attacks involving the MOVEit Transfer and GoAnywhere MFT. This group has been characterized by its sophisticated attack methods, often exploiting zero-day vulnerabilities to infiltrate organizations' systems to deploy ransomware and exfiltrate sensitive data...
In a blog post, SysAid said that the vulnerability, tracked as CVE-2023-47246, was first discovered on Novembers 2 and is a path traversal vulnerability leading to code execution within the SysAid on-prem software... "Given the scale and impact of the MOVEit breach, which was considered one of the largest in recent history, the potential for the SysAid vulnerability to reach similar levels of disruption is not inconceivable, though several factors would influence this outcome," Craig Jones, vice president of security operations at managed detection and response provider Ontinue Inc., told SiliconANGLE. "The MOVEit breach, exploited by the Clop ransomware group, impacted over 1,000 organizations and more than 60 million individuals," Jones explained. "Comparatively, SysAid claims more than 5,000 customers across various industries globally. The potential damage from the SysAid vulnerability would depend on factors such as how widespread the exploitation is, how quickly the patch is applied and the sensitivity of the accessed data."
SysAid's blog post confirms the zero-day vulnerability, and says they've begun "proactively communicating with our on-premise customers to ensure they could implement a mitigation solution we had identified..."
"We urge all customers with SysAid on-prem server installations to ensure that your SysAid systems are updated to version 23.3.36, which remediates the identified vulnerability, and conduct a comprehensive compromise assessment of your network..." The attacker uploaded a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service [which] provided the attacker with unauthorized access and control over the affected system.Subsequently, the attacker utilized a PowerShell script, deployed through the WebShell, to execute a malware loader named user.exe on the compromised host, which was used to load the GraceWire trojan...
After this initial access and the deployment of the malware, the attacker utilized a second PowerShell script to erase evidence associated with the attacker's actions from the disk and the SysAid on-prem server web logs... Given the severity of the threat posed, we strongly recommend taking immediate steps according to your incident response playbook and install any patches as they become available.
Wrote on what? (Score:4, Insightful)
The warning came from Microsoft Corp.'s Threat Intelligence team, which wrote on X
You misspelled Twitter.
Also, posting vuln advisories on Twitter... It looks just about as serious and professional as, I don't know... a POTUS posting stuff on Twitter.
Way to go Microsoft.
Re: (Score:1)
Re: (Score:2)
Also, posting vuln advisories on Twitter... It looks just about as serious and professional as, I don't know... a POTUS posting stuff on Twitter.
Back in the days, I used to use Slashdot as my CVE vulnerabilities feed. Those days are long gone. /s
Re: (Score:3)
The former alleged president is a triple-threat. He thinks he is a stable genius but he is also a stupid, paranoid Napoleon. That means that any racist, like Stephen Miller, easily convinces the former alleged president that he is the bees' knees to any crowd that thinks Jesus is a'coming any day, believes Championship Wrestling is a sport, or nurtures a gun fetish.
He's so toxic that no reputable law firm has agreed to take his cases; all he has are a few (and very few) individual lawyers who are willing to
Re: (Score:2)
OTOH, some POTUS are too senile to be able to use X or do anything right and productive and they let people in the shadow manage everything.
Yeah, exactly. And they are stuck in the past thinking they are running against an ex- president who is absolute not running, thinks Victor Orban is the leader of Turkey, and that World War II is yet to be fought, and that hummus is a terror-organization. (I guess the latter could be true if you classify garlic as a weapon).
Re: (Score:3)
An actively exploited zero day by a major gang probably which probably already scanned the entire internet and dropped payloads everywhere ... of course that should be publicised on twitter ASAP.
What other platform has better reach which they could use? Maximum reach is called for, the gang is already in, the only way to limit damage is warn people through every avenue as soon as possible.
Re: (Score:1)
I don't think that's where the exploits come from.
If i would wager, i would say its the massive flood of new barely tested features microsoft implement on each OS, given how absolutely stupid some of those exploits are.
You can see it on windows itself, how there's like 5 different ways to draw GUIs in the system and they use all of em across it.
They prefer to create a brand new one and pile on top instead of going back and improving the existing one, or even giving more than 5 seconds to write features thin
Re: (Score:1)
I don't think that's where the exploits come from.
Some do and some don't. There were indeed fairly recent exploits against SMB v1, which should have died more than a decade ago, but which for some reason still sticks around in some places. But if you look at the bugs recently ravaging through Windows environments: directory traversal bugs (SysAid), request forgery (OWA), SQL injection (MOVEIt), complete breakdown of corporate responsibility (Solarwinds), these are all issues which are absolutely laughable in 2023.
The whole situation reminds me a bit of the
Fuck is SysAid? (Score:2)
My PC doesn't have System AIDS so I wouldn't know
Re: (Score:2)