Ransomware, Patch/Configuration Management

Clop ransomware gang targets SysAid server bug

Clop ransomware gang exploits SysAid server bug

Clop, the ransomware gang behind the recent mass exploitation of a MOVEit Transfer bug, has used a zero-day vulnerability to attack on-premise SysAid servers.

SysAid said in an advisory it became aware of the vulnerability in its IT support solution on Nov. 2 and the company issued a patch on Nov. 8.

Microsoft said on X (formerly Twitter) it alerted SysAid after discovering the threat actor it tracks as Lace Tempest exploiting the zero-day in the wild.

“Organizations using SysAid should apply the patch and look for any signs of exploitation prior to patching, as Lace Tempest will likely use their access to exfiltrate data and deploy Clop ransomware,” Microsoft said.

Prior to the MOVEit Transfer attacks in May, the Clop gang – also known as TA505, and FIN11 – was responsible for two other high profile mass exploitations of vulnerabilities in enterprise software products earlier this year: GoAnywhere MFT in January, and PaperCut in April.

Researchers build PoC, but keep it secret

SysAid said the latest bug (tracked as CVE-2023-47246) was a previously unknown path traversal vulnerability leading to code execution.

The exploitation involved Clop uploading a web archive (WAR) file containing a webshell and other payloads into the webroot of the SysAid Tomcat web service, giving the gang system access and control.

They then used a PowerShell script, deployed through the webshell, to execute a malware loader that injected the GraceWire trojan.

A second PowerShell script was used to erase evidence of the attacker’s actions from the disk and the SysAid server web logs.

In a Nov. 9 post, Huntress said its research team had created a proof of concept for the exploit, which it was not making pubic at present.

Huntress said it was tracking 14 servers with the SysAid software installed, only one of which had been compromised by the zero-day exploit.

“This organization was first impacted on October 30, where we observed the same post-exploitation PowerShell code executed as suggested in the SysAid advisory,” it said.

Rapid7 posted on Nov. 9 that it was investigating evidence of compromise related to the bug “in at least one customer environment”.

How bad will this attack be?

Ontinue’s vice president of security operations, Craig Jones, said given the scale and impact of the MOVEit breach – which impacted over 1,000 organizations and more than 60 million individuals – it was not inconceivable the SysAid attacks by the same threat group could cause similar levels of disruption.

“While the number of affected customers is not disclosed, SysAid claims more than 5,000 customers across various industries globally,” Jones said.

“The potential damage from the SysAid vulnerability would depend on factors such as how widespread the exploitation is, how quickly the patch is applied, and the sensitivity of the accessed data.”

John Gallagher, vice president of Viakoo Labs, said while he didn’t expect the impact to be as widespread as the fallout from MOVEit, a large number of organizations would have to respond individually, given it was an attack against on-prem servers. “Many organizations lose track of who is responsible for on-premises deployments unless they are managed by IT,” he said. “Organizations should have a complete asset inventory, including application-based discovery.”

Simon Hendery

Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.