Fraud Management & Cybercrime , Governance & Risk Management , Patch Management

MOVEit Hackers Turn to SysAid Zero-Day Bug

Path Traversal Bug Leads to Code Execution Within SysAid On-Premises Software
MOVEit Hackers Turn to SysAid Zero-Day Bug
Hackers behind the MOVEit hacks in May are now targeting a newly patched zero-day in SysAid help desk software. (Image: Shutterstock)

A Russian digital extortion gang behind a raft of attacks on file transfer applications is now targeting a newly patched vulnerability in SysAid IT help desk support software.

See Also: Every Second Counts: 6-Step Ransomware Remediation Guide

In a tweet late Wednesday, Microsoft said the Russian-speaking gang loads GraceWire malware, a remote access Trojan also known as FlawedGrace. "This is typically followed by human-operated activity, including lateral movement, data theft, and ransomware deployment," Microsoft added.

Microsoft tracks the threat actor as Lace Tempest, but it's more familiar as Clop, especially after the late May mass attack on MOVEit file transfer software the gang initiated using a zero-day vulnerability (see: Data Breach Toll Tied to Clop Group's MOVEit Attack Surges).

SysAid said it had learned on Nov. 2 of a potential vulnerability, tracked as CVE-2023-47246, and contracted with security firm Profero to investigate. Security firm Elastic said it had observed exploitation of the vulnerability beginning on Oct. 30.

In an emailed statement, a SysAid spokesperson said the company "immediately began communicating with our on-premises customers about the matter, ensuring a workaround solution was implemented as quickly as possible. We have rolled out a product upgrade that includes security enhancements to address the security risk." The firm listed more than 5,000 organizations as customers on its website, including global heavyweights such as Adobe, Coca-Cola and Fuji Xerox.

Analysis showed that hackers had used "a previously unknown path traversal vulnerability leading to code execution," the company said. Hackers uploaded an archive file containing a web shell and other payloads into the webroot of the company's deployment of Tomcat, an Apache open-source program for managing web applications.

Security firm Rapid7 said a query to internet of things search engine Shodan showed only 416 instances of SysAid exposed to the public internet.

SysAid's analysis of the attacks also said the attackers use a second PowerShell script to erase evidence of their actions and that they have been downloading a CobaltStrike listener on victim hosts, likely for persistence.

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.