SysAid, a provider of IT service management software, has recently been targeted by a ransomware operation exploiting a zero-day vulnerability in its on-premises software. The vulnerability, identified as CVE-2023-47246, was first observed by Microsoft's threat intelligence team, who promptly notified SysAid. The flaw is a path traversal issue that leads to arbitrary code execution, potentially allowing unauthorized access and control over the affected system.
The threat actor exploiting this vulnerability is known as Lace Tempest, an affiliate known for deploying Cl0p ransomware. The group has previously exploited zero-day vulnerabilities in other software solutions. The exploitation of this vulnerability has likely resulted in ransomware deployment and/or data exfiltration.
The vulnerability was confirmed by cybersecurity firm Profero, which discovered that the attacker could upload a WebShell and other payloads into the webroot of the SysAid Tomcat web service. This allowed the attacker to issue commands via the SysAid software to deliver a loader for the Gracewire malware, enabling human-operated activity such as lateral movement, data theft, and ransomware deployment.
In response to the threat, SysAid's CTO Sasha Shapirov noted that the company immediately initiated their incident response protocol and began proactively communicating with their on-premise customers to ensure they could implement a mitigation solution. SysAid has since released version 23.3 to address the vulnerability.
The exploitation of this vulnerability underscores the importance of robust cybersecurity measures and the need for constant vigilance in the face of evolving threats. It also highlights the critical role of threat intelligence teams in identifying and responding to such threats in a timely manner.