Software program maker SysAid is warning clients that hackers linked to a infamous ransomware gang are exploiting a newly found vulnerability in its broadly used IT service automation software program.
SysAid chief expertise officer Sasha Shapirov confirmed in a weblog submit Wednesday that attackers are exploiting a zero-day flaw affecting its on-premises software program. A vulnerability is taken into account a zero-day when the seller — on this case SysAid — has zero time to repair the bug earlier than it’s exploited by attackers.
SysAid mentioned it realized concerning the vulnerability on November 2 after Microsoft notified the corporate concerning the subject. The bug is described as a path traversal flaw that permits attackers to run malicious code on an affected system.
In an announcement given to information.killnetswitch, SysAid spokesperson Eyal Zombek mentioned the corporate “moved shortly to nominate knowledgeable help to assist us examine and handle the problem” and “instantly started speaking with our on-premise clients concerning the matter.”
Software program that sometimes requires broad entry to an organization’s community and methods to run correctly, resembling IT automation and monitoring software program, is usually a goal for hackers searching for to maliciously hijack that entry.
Microsoft’s Menace Intelligence workforce mentioned in a collection of posts on X (previously Twitter) that its researchers had linked exploitation of the SysAid vulnerability to a hacking group it tracks as “Lace Tempest,” identified extra generally because the Clop ransomware group. The infamous Russia-linked ransomware gang was beforehand linked to the mass-hacks exploiting a zero-day flaw in MOVEit Switch, a file switch service utilized by hundreds of enterprises worldwide, which has up to now impacted greater than 2,500 organizations and greater than 67 million people, in response to cybersecurity firm Emsisoft.
Microsoft mentioned that within the case of the SysAid flaw, the attackers “issued instructions through the SysAid software program to ship a malware loader for the Gracewire malware.” Microsoft added that the malware drop is “sometimes adopted by human-operated exercise, together with lateral motion, knowledge theft, and ransomware deployment.”
Microsoft mentioned the gang “will probably use their entry to exfiltrate knowledge and deploy Clop ransomware,” citing the same exploitation of hundreds of MOVEit methods by the ransomware gang in June.
SysAid urged its clients to search for any indicators of exploitation and to replace their SysAid software program to model 23.3.36, which the corporate launched on November 8 to remediate the vulnerability.
On its web site, the corporate says it has greater than 5,000 clients throughout 140 international locations. These clients span numerous industries resembling training, authorities and healthcare. SysAid has not mentioned what number of clients are affected or whether or not it has seen any proof of knowledge exfiltration from its buyer environments.
SysAid’s spokesperson wouldn’t reply information.killnetswitch’s questions.
