SysAid Zero-Day Vulnerability Exploited in CL0P Ransomware Attacks

SysAid, a popular IT service management (ITSM) software vendor, warned customers of a zero-day vulnerability in its IT service management software, which the CL0P ransomware group is currently exploiting.  

Tell me more about the SysAid zero-day vulnerability  

Tracked as CVE-2023-47246, this critical vulnerability allows attackers to execute remote code on affected SysAid servers. The severity of this exploit was brought to SysAid’s attention by the Microsoft Threat Intelligence team, citing active exploitation in the wild. The vulnerability was used by a threat actor identified as Lace Tempest (also recognized as FIN11 and TA505) to deploy the malicious CL0P ransomware. 

SysAid swiftly acknowledged the gravity of the situation, confirming that this vulnerability primarily impacts the on-premises versions of its software (specifically versions 20.1.7 and earlier). In response, the company swiftly released a comprehensive patch to address the security flaw. Additionally, SysAid proactively furnished indicators of compromise (IoCs), encompassing filenames, hashes, IP addresses, file paths used in the attack and commands executed by the threat actor during the infiltration, facilitating the detection of potential intrusions. 

What is Nuspire doing?  

Nuspire, in alignment with best practices, diligently applies patches upon release, adhering to vendor recommendations. In addition, the organization remains actively engaged in threat hunting activities within client environments, aiming to identify any signs of compromise that may arise. 

How should I protect myself from the SysAid zero-day vulnerability?  

For organizations utilizing SysAid’s IT service management software (version 20.1.7 or earlier) in an on-premises setup, immediate action is imperative to strengthen defenses against potential exploitation by the CL0P ransomware. Here are crucial steps to take: 

• Update SysAid Software: Promptly install the latest patch provided by SysAid through their official website. Ensure your systems are upgraded to version 23.3.36 to address the CVE-2023-47246 vulnerability effectively. 
• Implement Multi-Factor Authentication (MFA): Apply MFA across all user accounts to fortify security measures, mitigating unauthorized access attempts. 
• Enforce Robust Password Policies: Implement stringent password policies mandating complex and hard-to-crack passwords, enhancing overall security posture. 
• Regular Software Updates: Beyond SysAid, maintain a regimen of consistently updating all software systems to guarantee the incorporation of the latest security patches. 

Taking swift action is paramount in shielding your systems against potential exploitation by the CL0P ransomware. Immediate adoption of these preventive measures is pivotal for organizations utilizing vulnerable versions of SysAid to avert potential cyberattacks.