Organizations using SysAid IT service management software have been warned about a zero-day vulnerability that has been exploited by affiliates of a notorious ransomware operation.
Exploitation of the zero-day, tracked as CVE-2023-47246, was apparently first observed by Microsoft’s threat intelligence team, which rushed to notify SysAid about the vulnerability and the attacks.
The vendor has determined that its SysAid on-premises software is impacted by the flaw, which has been described as a path traversal issue leading to arbitrary code execution.
SysAid learned about the zero-day on November 2, and it announced the release of version 23.3.36, which should patch the vulnerability, on November 8.
In addition to patches, the vendor has shared technical information on the observed attacks, including indicators of compromise (IoCs), as well as recommendations on the steps that potentially impacted customers should take.
Incident response company Profero, which assisted SysAid in its investigation, has also published a blog post describing its findings.
According to Microsoft, CVE-2023-47246 has been exploited by a threat actor it tracks as Lace Tempest, which is also known as DEV-0950 and whose activities overlap with the groups named FIN11 and TA505. They are all known for deploying Cl0p ransomware.
Microsoft previously linked Lace Tempest to the massive MOVEit Transfer zero-day exploitation, which to date has impacted — both directly and indirectly — more than 2,500 organizations. In those attacks, the cybercriminals exploited a MOVEit managed file transfer software flaw to gain access to the information exchanged by organizations through the product. They then used the stolen files to extort money from victims.
In the SysAid zero-day attacks, the hackers leveraged the IT support software to deliver the MeshAgent remote administration tool and the GraceWire malware.
“This is typically followed by human-operated activity, including lateral movement, data theft, and ransomware deployment,” Microsoft said.
According to SysAid, the cybercriminals also deployed a PowerShell script to cover their tracks by erasing evidence from targeted servers.
*updated to add link to Profero blog post
Related: Sony Confirms Data Stolen in Two Recent Hacker Attacks
Related: Cybersecurity Companies Report Surge in Ransomware Attacks
Related: Live Exploitation Underscores Urgency to Patch Critical WS-FTP Server Flaw
