Microsoft and SysAid Find Clop Malware Vulnerability
November 11, 2023
SysAid has patched a zero-day vulnerability that could allow attackers to exfiltrate data and launch ransomware.
On Nov. 8, SysAid, an Israel-based IT service management software company, reported a potentially exploited zero-day vulnerability in their on-premises software. Users of their on-premises server installations were encouraged to run version 23.3.36, which contained a fix. Microsoft Threat Intelligence analyzed the threat and found that Lace Tempest had exploited it.
The vulnerability was exploited by the threat group Lace Tempest, which distributes the Clop malware, Microsoft Threat Intelligence said on Nov. 8 on X (formerly Twitter). The Microsoft security experts wrote, in part, “…Lace Tempest will likely use their access to exfiltrate data and deploy Clop ransomware.”
The ultimate goal of attacks like this is often lateral movement through a system, data theft and ransomware.
Profero diagnosed and SysAid patched the ransomware
After discovering the potential vulnerability on Nov. 2, SysAid called in Israel-based rapid incident response company Profero, which discovered the details of the vulnerability. Profero found that the attacker used a path traversal vulnerability to upload a WAR archive containing a WebShell and other payloads into the SysAid Tomcat web service’s webroot. From there, Lace Tempest delivered a malware loader for the Gracewire malware.
SysAid provided a list of indicators of compromise and steps to take in its blog post about this vulnerability. In order to protect your organization against this malware, SysAid emphasized the importance of downloading the patch. Organizations should review what information may have been stored within their SysAid server that might be appealing to attackers and check its activity logs for unauthorized behavior. Other recommended actions include updating SysAid systems and conducting a thorough compromise assessment of your SysAid server.
Clop malware has been used in high-profile ransoms