SysAida company active in the software context IT Service Managementwas recently targeted by cybercriminals who exploited a flaw in the management software of the company to access the company servers.
Through this intrusion, cybercriminals acted both by stealing information from the platform and by exploiting access to spread the feared ransomware clop. This attack, on the other hand, is known to exploit exploits of this type: over the past few months, in fact, the ransomware has become the protagonist of several operations, with the one relating to MOVEit which turns out to be the most sensational.
The flaw affecting SysAid, identified as CVE-2023-47246was identified last November 2 by the team Microsoft Threat Intelligence which, once the vulnerability was discovered, promptly notified the company.
The Clop ransomware strikes again: here’s how cybercriminals exploited the exploit
The investigation identified a type vulnerability path traversalnever observed before, which led to the execution of malicious code by unauthorized personnel.
According to data collected by Microsoft Threat Intelligence, the attack was launched by the cybercriminal group known as Lace Tempest o DEV-0950. On a practical level, the attacker gained access to the SysAid network, uploading to it an archive with a WebShell and other payload.
The attacker uploaded an archive containing a WebShell and other payloads to the web root of the web service SysAid Tomcat. Next, the attacker used one script PowerShelldistributed via WebShell, to arrive a malware (via the file user.exe) on the compromised host, followed by the trojan GraceWire.
As for prevention, to anyone who uses SysAid On-Prem updating is strongly recommended version 23.3.36 which includes a patch capable of making the attack ineffective.
To be completely certain that no data has been compromised, it is advisable to use activity logs to detect suspicious behavior or other signs of activity by cybercriminals.