SysAid, a popular IT service management (ITSM) software vendor, warned customers of a zero-day vulnerability in its IT service management software, which the CL0P ransomware group is currently exploiting.
Tracked as CVE-2023-47246, this critical vulnerability allows attackers to execute remote code on affected SysAid servers. The severity of this exploit was brought to SysAid’s attention by the Microsoft Threat Intelligence team, citing active exploitation in the wild. The vulnerability was used by a threat actor identified as Lace Tempest (also recognized as FIN11 and TA505) to deploy the malicious CL0P ransomware.
SysAid swiftly acknowledged the gravity of the situation, confirming that this vulnerability primarily impacts the on-premises versions of its software (specifically versions 20.1.7 and earlier). In response, the company swiftly released a comprehensive patch to address the security flaw. Additionally, SysAid proactively furnished indicators of compromise (IoCs), encompassing filenames, hashes, IP addresses, file paths used in the attack and commands executed by the threat actor during the infiltration, facilitating the detection of potential intrusions.
Nuspire, in alignment with best practices, diligently applies patches upon release, adhering to vendor recommendations. In addition, the organization remains actively engaged in threat hunting activities within client environments, aiming to identify any signs of compromise that may arise.
For organizations utilizing SysAid’s IT service management software (version 20.1.7 or earlier) in an on-premises setup, immediate action is imperative to strengthen defenses against potential exploitation by the CL0P ransomware. Here are crucial steps to take:
Taking swift action is paramount in shielding your systems against potential exploitation by the CL0P ransomware. Immediate adoption of these preventive measures is pivotal for organizations utilizing vulnerable versions of SysAid to avert potential cyberattacks.