Synopsis: Threat actors are exploiting a zero-day vulnerability (CVE-2023-47246) in SysAid, an IT Service Management solution, to gain unauthorized access to corporate servers for data theft and to deploy ransomware.

Microsoft Threat Intelligence identified the vulnerability being leveraged by the threat actor Lace Tempest (Fin11/TA505) to deploy Clop ransomware. SysAid disclosed that the flaw is a path traversal vulnerability leading to unauthorized code execution. The attackers used the zero-day flaw to upload a WAR (Web Application Resource) archive containing a webshell, enabling them to execute PowerShell scripts and load GraceWire infostealer malware.

SysAid has released a security update in version 23.3.36 to address the vulnerability, urging users to apply the patch and administrators to check for signs of compromise using the indicators of compromise listed in SysAid’s report.

Action: SysAid customers are urged to update to version 23.3.36, conduct a compromise assessment, and review credentials and logs for any unusual behavior.

Related Articles:

Email Team