MOVEit Hackers Turn to SysAid Zero-Day BugPath Traversal Bug Leads to Code Execution Within SysAid On-Premises Software
A Russian digital extortion gang behind a raft of attacks on file transfer applications is now targeting a newly patched vulnerability in SysAid IT help desk support software.
In a tweet late Wednesday, Microsoft said the Russian-speaking gang loads GraceWire malware, a remote access Trojan also known as FlawedGrace. "This is typically followed by human-operated activity, including lateral movement, data theft, and ransomware deployment," Microsoft added.
Microsoft tracks the threat actor as Lace Tempest, but it's more familiar as Clop, especially after the late May mass attack on MOVEit file transfer software the gang initiated using a zero-day vulnerability (see: Data Breach Toll Tied to Clop Group's MOVEit Attack Surges).
SysAid said it had learned on Nov. 2 of a potential vulnerability, tracked as CVE-2023-47246, and contracted with security firm Profero to investigate. Security firm Elastic said it had observed exploitation of the vulnerability beginning on Oct. 30.
In an emailed statement, a SysAid spokesperson said the company "immediately began communicating with our on-premises customers about the matter, ensuring a workaround solution was implemented as quickly as possible. We have rolled out a product upgrade that includes security enhancements to address the security risk." The firm listed more than 5,000 organizations as customers on its website, including global heavyweights such as Adobe, Coca-Cola and Fuji Xerox.
Analysis showed that hackers had used "a previously unknown path traversal vulnerability leading to code execution," the company said. Hackers uploaded an archive file containing a web shell and other payloads into the webroot of the company's deployment of Tomcat, an Apache open-source program for managing web applications.
Security firm Rapid7 said a query to internet of things search engine Shodan showed only 416 instances of SysAid exposed to the public internet.
SysAid's analysis of the attacks also said the attackers use a second PowerShell script to erase evidence of their actions and that they have been downloading a CobaltStrike listener on victim hosts, likely for persistence.