A new vulnerability in SysAid's widely used IT service automation software has been discovered that lets hackers from a notorious ransomware gang exploit their software, says the software maker. As reported by Sasha Shapirov, CEO of SysAid, in a blog post published Wednesday, attackers are exploiting a zero-day vulnerability that affects its Cloud software that is hosted on-premises. 

Zero-day vulnerabilities are defined as vulnerabilities that have no time to be fixed by a vendor- in this case, SysAid- before attackers exploit them in the wild. There have been some limited attacks that have exploited a zero-day vulnerability in Microsoft's SysAid IT support software, tracked as CVE-2023-47246, which was exploited by attackers in recent weeks. 

It has been reported by the IT giant that the attacks have been linked to the Clop ransomware group (also known as Lace Tempest). There was a flaw in the software that the company reported to its software provider, who immediately repaired it. 

A potential vulnerability in SysAid's on-premise software was discovered by its security team on November 2nd, the company reported. An investigation of the issue has been undertaken by the cybersecurity firm Profero, which was engaged by the software firm. It was determined that Profero had found a zero-day vulnerability in the software that had compromised it. 

SysAid offers a comprehensive range of tools for the management of a large range of IT services within an organization, such as IT service monitoring, IT service management, and IT service management performance analysis. 

Among the most notorious aspects of the Clop ransomware is the fact that it exploits zero-day vulnerabilities within widely used software. Among recent examples of downloadable file transfers are MOVEit Transfer, GoAnywhere MFT, and Accellion File Transfer Access. According to a report published on Wednesday by SysAid, CVE-2023-47246 is a path traversal vulnerability that can be exploited to expose users to unauthenticated code execution attacks. 

A rapid incident response company, Profero, has been engaged by the company to investigate the attacks and provide technical details of the attack that has been uncovered.  An attacker exploited the zero-day security vulnerability to upload a WAR (Web Application Resource) archive containing a webshell into the webroot of SysAid Tomcat, the web service that manages SysAid's free web applications. 

The threat actors were then able to execute further PowerShell scripts and execute GraceWire malware to dispatch the malware through a legitimate process (e.g. spoolsv.exe, msiexec.exe, svchost.exe) that was already running. A report by Sophos states that the malware loader ('user.exe') makes sure that running processes on the compromised system are not infected with any Sophos security products. 

In a series of posts on X (formerly Twitter) Microsoft's Threat Intelligence team explained that its researchers wanted to describe how the exploit of the SysAid vulnerability could be traced to a hacking group called Lace Tempest, a group better known as Clop ransomware. 

There has been a link between the notorious Russia-linked ransomware gang and mass hacks that exploited a zero-day flaw in the file transfer service MOVEit Transfer, which is used by thousands of organizations across the globe. In terms of the number of organizations and individuals affected, Emsisoft says more than 2,500 organizations have so far been affected. 

On its official website, the company proudly claims to have an extensive customer base that exceeds 5,000 across a staggering 140 countries. These valued customers represent a diverse range of industries, including but not limited to education, government, and healthcare. While the exact number of affected customers remains undisclosed, SysAid has taken a proactive approach to addressing the situation. 

Furthermore, the company has diligently analyzed the incident to provide crucial indicators of compromise that are instrumental in both detecting and preventing future intrusions. These indicators encompass a multitude of valuable information such as filenames and their associated hashes, IP addresses involved in the attack, file paths utilized by the threat actor, and the specific commands employed to either download malware or erase any traces of initial access. By equipping its customers with such comprehensive insights, SysAid aims to enhance their cybersecurity posture and protect their valuable data from potential threats.