MOVEit Gang Targets SysAid Customers With Zero-Day Attacks

Security

Microsoft has revealed a new threat campaign exploiting a zero-day vulnerability in the popular SysAid IT helpdesk software.

Posting to X (formerly Twitter) yesterday, the Microsoft Threat Intelligence account said the group is the same one responsible for the MOVEit data theft and extortion campaign – a threat actor known as Lace Tempest (aka DEV-0950, FIN11 and TA505).

“Microsoft notified SysAid about the issue (CVE-2023-47246), which they immediately patched,” the post continued.

“Organizations using SysAid should apply the patch and look for any signs of exploitation prior to patching, as Lace Tempest will likely use their access to exfiltrate data and deploy Clop ransomware.”

Microsoft explained that after exploiting the vulnerability, the threat actors will issue commands via SysAid to deliver a loader for Gracewire malware to victim systems.

“This is typically followed by human-operated activity, including lateral movement, data theft, and ransomware deployment,” it added.

Read more on Lace Tempest: MOVEit Exploitation Fallout Drives Record Ransomware Attacks

A SysAid advisory revealed that the zero-day path traversal vulnerability affects its on-premises server software.

The firm urged customers to upgrade immediately to version 23.3.36, conduct a thorough assessment to check for indicators of compromise (IoCs), check relevant logs and review any credentials or other information that may have been exposed to threat actors.

“Being that this impacts on-premises deployments, this will take a long time to effectively remediate. Unlike cloud-based deployments, having this remediated will take individual action across a large number of organizations,” argued John Gallagher, VP of Viakoo Labs at Viakoo.

“While this will not be as widespread at the MOVEit vulnerability, it’s clear that the threat actor behind it is continuing to develop and deploy new ransomware threats. Organizations should use this as a warning to have effective threat assessment and remediation processes in place, especially for non-IT assets like IoT devices and applications.”

Products You May Like

Articles You May Like

Ukraine’s Security Service Probes GRU-Linked Cyber-Attack on State Registers
LockBit Developer Rostislav Panev Charged for Billions in Global Ransomware Damages
Italy’s Data Protection Watchdog Issues €15m Fine to OpenAI Over ChatGPT Probe
Sophisticated TA397 Malware Targets Turkish Defense Sector
Thousands Download Malicious npm Libraries Impersonating Legitimate Tools

Leave a Reply

Your email address will not be published. Required fields are marked *