2 min Security

Microsoft: ‘SysAid vulnerability exploited to spread Clop ransomware’

Microsoft: ‘SysAid vulnerability exploited to spread Clop ransomware’

Microsoft is warning that a vulnerability in its SysAid system management software is being actively exploited. The vulnerability is used for spreading the well-known Clop ransomware.

A vulnerability in SysAid’s system management software was recently discovered. The software vendor confirmed this CVE-2023-47246 vulnerability and warned that it could be actively exploited.

The vulnerability is a so-called path traversal vulnerability that can lead to the execution of arbitrary code in the SysAid on-premises software. To do this, hackers load a so-called WAR file containing a WebShell and other (malicious) payloads into the webroot of the SysAid Tomcat Web service.

Active misuse of ransomware

Microsoft has now found that the exploit is indeed being actively abused by none other than the Lace Tempest ransomware gang. This gang is held responsible for spreading the Clop ransomware that led to the infamous MOVEit Transfer and GoAnywhere MFT breaches earlier this year. Sensitive data was also stolen in these attacks.

According to Microsoft, Lace Tempest sent commands through the SysAid software to deliver a malware loader for the Gracewire malware. This action is often followed by manual hacking, such as lateral movement, data theft, and ransomware.

Extent of vulnerability unknown

How many companies using the SysAid software have now been affected is unclear. The company has about 5,000 customers, according to researchers at Rapid7, all of whom are potentially vulnerable. This makes any active exploit as dangerous as that of, say, the earlier MOVEit attack.

SysAid has since released a patch for the vulnerability and is urging users to update their systems to version 23.3.36. Customers should also conduct an analysis of their SysAid server and investigate what information someone with full access to the server could see. Furthermore, they should also check for abnormal behaviour.

Also read: How the MOVEit vulnerability has been making victims since May 2023