MOVEit Hackers Pivot to SysAid Zero-Day in Ransomware Attacks

Move over MOVEit, there's a new zero-day being exploited to deploy Cl0p ransomware into enterprise networks. This time, the same threat actors were caught leveraging a flaw in on-premises deployments of SysAid IT Support software.

Microsoft announced the flaw, tracked under CVE-2023-47246, on Nov. 8, adding that SysAid has already issued a patch. SysAid CTO Sasha Shapirov explained in a blog post published on the same day that the company was made aware of the vulnerability on Nov. 2, which triggered an immediate investigation and remediation effort.

SysAid offers IT help desk and support service automation for organizations across a variety of data-sensitive sectors, including healthcare, human resources, higher education, and manufacturing. The company did not immediately respond to requests to comment about the number of potential or identified victims of cyberattack.

Microsoft's Threat Intelligence Team determined that the threat actor behind the exploit was Lace Tempest, also known by the designation DEV-0950, which is known for deploying Cl0p ransomware for their extortion campaigns. The group used the same ransomware strain against the MOVEit zero-day vulnerability in a blitz of attacks that compromised hundreds of organizations.

"The investigation identified a previously unknown path traversal vulnerability leading to code execution within the SysAid on-prem software," Shapirov explained. "The attacker uploaded a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat Web service."

The SysAid exec recommended enterprise teams running on-premises versions of SysAid should crack open the incident response playbook and keep patches up-to-date as they become available. The post also provided detailed indicators of compromise (IoCs).

"We urge all customers with SysAid on-prem server installations to ensure that your SysAid systems are updated to version 23.3.36, which remediates the identified vulnerability, and conducts a comprehensive compromise assessment of your network to look for any indicators further discussed below," Shapirov added. "Should you identify any indicators, take immediate action and follow your incident-response protocols."

The Problem With On-Prem Patching

The fact that this SysAid vulnerability impacts on-premises instances will likely delay patching in many enterprises, according John Gallagher, vice president of Viakoo Labs.

"Many organizations lose track of who is responsible for on-premises deployments unless they are managed by IT," Gallagher says. "Organizations should have a complete asset inventory, including application-based discovery."

As costs related to the MOVEit breach spiral into the billions, this new SysAid discovery is alarming and demonstrates the critical need for enterprise security teams to respond quickly to emerging threats.

"The potential damage from the SysAid vulnerability would depend on factors such as how widespread the exploitation is, how quickly the patch is applied, and the sensitivity of the accessed data," Craig Jones, vice president of security operations at Ontinue says. "Given the Cl0p group's historical tactics, as seen in the MOVEit incident, and their likely financial motivation, there is a risk of significant impact if the SysAid vulnerability is not swiftly and effectively mitigated."

To prepare in advance of the next zero-day campaign, Paul Laudanski, director of security research for Onapsis suggested that security teams need get clear on what's in their networks and monitor effectively. That includes firewalls configured to identify path traversal, monitoring of webshell execution and engagement, and more, he explained via email.

"This attack serves as a huge wake-up call for companies that lack proper threat detection capabilities, understanding, and mapping of their end-to-end ecosystem," Laudanski added. "Organizations should understand their environment and fine-tune alerts regularly."