iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
The gang behind the MOVEit hack could be on the prowl again.
IT support firm SysAid is reporting that a zero-day vulnerability in its on-premises software is being actively exploited by the same threat actor behind this year’s MOVEit file transfer attacks.
The active exploitation was first spotted by Microsoft on 2 November, which contacted SysAid and shared its findings in a tweet.
“Microsoft has discovered exploitation of a 0-day vulnerability in the SysAid IT support software in limited attacks by Lace Tempest, a threat actor that distributes Clop ransomware,” Microsoft said. “Microsoft notified SysAid about the issue (CVE-2023-47246), which they immediately patched.”
Lace Tempest is reported to either overlap with the Clop gang (or Cl0p, if you want to be more confused), be an affiliate, or simply use the same software, depending on the threat researcher you talk to.
According to SysAid’s initial investigation, the vulnerability could lead to remote code execution on unpatched versions of its software.
“The investigation identified a previously unknown path traversal vulnerability leading to code execution within the SysAid on-prem software,” SysAid said on its service desk blog.
“The attacker uploaded a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service.”
This web shell was then used to give the attacker “unauthorised access and control over the affected system”. A PowerShell script was then deployed to execute a malware loader, which in turn deployed the GraceWire Trojan into several processes.
According to Microsoft, “this is typically followed by human-operated activity, including lateral movement, data theft, and ransomware deployment.”
“After this initial access and the deployment of the malware, the attacker utilised a second PowerShell script to erase evidence associated with the attacker’s actions from the disk and the SysAid on-prem server web logs.”
SysAid’s advice is to update all on-premises installations to version 23.3.36 and to conduct a full assessment of any network that could be compromised.
You can find a full list of indicators of compromise here.
It remains to be seen if SysAid has moved quickly enough to stop Clop in its tracks. In the case of the MOVEit hack, data exfiltration began within a day of the vulnerability being exploited and went on for some time. Hundreds of businesses and government agencies around the world were impacted, including PwC and Medibank in Australia.
The gang has so far not made any announcements on its leak site over its possible involvement. Its most recent ransomware victims – the Texas Wesleyan University and Swish Dental, both from the US – were only added to its leak site this week, after a period of relative inactivity. It is not known if those companies are users of SysAid’s support software.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
