MOVEit Gang Targets SysAid Customers With Zero-Day Attacks


Microsoft has revealed a new threat campaign exploiting a zero-day vulnerability in popular IT help desk software SysAid.

Posting yesterday on 0950, FIN11 and TA505).

“Microsoft notified SysAid of the issue (CVE-2023-47246), which they immediately fixed,” the post continues.

“Organizations using SysAid should apply the patch and look for any signs of exploitation before applying the patch, as Lace Tempest will likely use their access to exfiltrate data and deploy Clop ransomware.”

Microsoft explained that after exploiting the vulnerability, malicious actors will issue commands through SysAid to deliver a Gracewire malware loader to victim systems.

“This is usually followed by human activity, including lateral movement, data theft, and ransomware deployment.” he added.

More on Lace Tempest: MOVEit Exploit Fallout Generates Record Ransomware Attacks

A SysAid review revealed that the zero-day path traversal vulnerability affects its on-premises server software.

The company urged its customers to immediately upgrade to version 23.3.36, conduct a thorough assessment to check for Indicators of Compromise (IoC), check relevant logs, and review any credentials or other information likely to have been exposed to malicious actors.

“As this impacts on-premises deployments, it will take a significant amount of time to effectively address this. Unlike cloud-based deployments, solving this problem will require individual measures across a large number of organizations,” explained John Gallagher, vice president of Viakoo Labs at Viakoo.

“While the MOVEit vulnerability will not be as widespread, it is clear that the threat actor continues to develop and deploy new ransomware threats. Organizations should use this as a wake-up call to establish effective threat assessment and remediation processes, particularly for non-IT assets such as IoT devices and applications.

Leave a comment