Zero-Day Vulnerability in SysAid’s On-Premises Software Exposed to Hackers
SysAid, a leading software maker for IT service automation, has issued a warning to its customers regarding a newly discovered vulnerability in its widely used on-premises software. The company’s chief technology officer, Sasha Shapirov, confirmed in a blog post that attackers are exploiting a zero-day flaw affecting the software.
What is a Zero-Day Vulnerability?
A vulnerability is considered a zero-day when the vendor has zero time to fix the bug before it is exploited by attackers. In this case, SysAid learned about the vulnerability on November 2 after Microsoft notified the company about the issue.
The Bug: A Path Traversal Flaw
The bug is described as a path traversal flaw that allows attackers to run malicious code on an affected system. This type of vulnerability can be particularly devastating, as it enables hackers to gain unauthorized access to sensitive data and systems.
SysAid’s Response
In a statement given to TechCrunch, SysAid spokesperson Eyal Zombek said the company "moved quickly to appoint expert support to help us investigate and address the issue" and "immediately began communicating with our on-premise customers about the matter." The company has also released an update (version 23.3.36) to remediate the vulnerability.
The Ransomware Gang: Lace Tempest (Clop)
Microsoft’s Threat Intelligence team has linked the exploitation of the SysAid vulnerability to a hacking group it tracks as ‘Lace Tempest,’ known more commonly as the Clop ransomware group. This notorious Russia-linked ransomware gang was previously linked to mass-hacks exploiting a zero-day flaw in MOVEit Transfer, a file transfer service used by thousands of enterprises worldwide.
The Attack
In this case, the attackers issued commands via the SysAid software to deliver a malware loader for the Gracewire malware. Microsoft added that the malware drop is "typically followed by human-operated activity, including lateral movement, data theft, and ransomware deployment."
Microsoft’s Notification
Microsoft has discovered exploitation of a 0-day vulnerability in the SysAid IT support software in limited attacks by Lace Tempest, a threat actor that distributes Clop ransomware. Microsoft notified SysAid about the issue (CVE-2023-47246), which they immediately patched.
Customer Impact
SysAid has not said how many customers are affected or whether it has seen any evidence of data exfiltration from its customer environments. However, the company’s on-premises software is used by more than 5,000 customers across 140 countries in various industries such as education, government, and healthcare.
What You Can Do
SysAid urged its customers to look for any signs of exploitation and to update their SysAid software to version 23.3.36, which the company released on November 8 to remediate the vulnerability. It is essential for customers to remain vigilant and take immediate action to protect themselves from this known vulnerability.
Related News
- MOVEit, the biggest hack of the year, by the numbers
- Cyberattack, cybersecurity, data breach, ransomware, Security
About the Author
Carly Page is a Senior Reporter at TechCrunch, where she covers the cybersecurity beat. She has spent more than a decade in the technology industry, writing for titles including Forbes, TechRadar, and WIRED.
You can contact Carly securely on Signal at +441536 853956 or via email at carly.page@techcrunch.com.
Subscribe to Our Newsletters
Stay up-to-date with the latest news in tech by subscribing to our newsletters:
- TechCrunch Daily News
- TechCrunch AI
- TechCrunch Space
- Startups Weekly
Related Posts
- Governments call for spyware regulations in UN Security Council meeting
- PowerSchool data breach victims say hackers stole ‘all’ historical student and teacher data
- UnitedHealth hid its Change Healthcare data breach notice for months