Patch Now: Cl0p Actively Exploits SysAid On-Prem Vulnerability

Date:

November 9, 2023

World map

IT services provider SysAid is warning customers to immediately update to version 23.3.36 following exploitation of a zero-day vulnerability (CVE-2023-47246) in the SysAid IT support software threat actor by Lace Tempest who was observed to be deploying Cl0p ransomware.  

“We urge all customers with SysAid on-prem server installations to ensure that your SysAid systems are updated to version 23.3.36, which remediates the identified vulnerability, and conduct a comprehensive compromise assessment of your network to look for any indicators further discussed below, SysAid said in a statement.

“Should you identify any indicators, take immediate action and follow your incident response protocols. If you are a SysAid customer using a SysAid On-Prem server, we advise you take the following actions:

  • Ensure that your SysAid systems are updated to version 23.3.36, which includes the patches for the identified vulnerability.
  • Conduct a thorough compromise assessment of your SysAid server to look for any indicators mentioned.
  • Review any credentials or other information that would have been available to someone with full access to your SysAid server and check any relevant activity logs for suspicious behavior.”

Takeaway: The marked increase in the exploitation of vulnerabilities by ransomware gangs is further evidence that criminal actors continue to employ increasingly complex techniques that we used to only see in nation-state operations.

Ransomware attacks used to be clumsier and more random, basically a numbers game where massive email spam campaigns or drive-by watering hole attacks designed to infect as many individual devices as possible while asking for ransoms of a fraction of a bitcoin - but those days have largely passed.

Until recently, it was highly unusual to see ransomware gangs using zero-day exploits targeting vulnerabilities, as these exploits are highly valuable to attackers and were most often leveraged in nation-state operations as opposed to cybercriminal attacks.

Increasingly, threat actors are automating scans for known and unknown vulnerabilities to exploit as we have seen in the recent disruptive Cl0p campaigns targeting MoveIT and GoAnywhere software bugs, they are creating bespoke tools for more efficient collection and exfiltration of victim data and building out their RaaS platform services to smooth the negotiation and ransom payment process.

This trend represents an increased overlap between what were previously state-sponsored APT operations and those of cybercriminal ransomware attackers, including leveraging zero-day exploits and advanced techniques like DLL side-loading.

Organizations need to assume they will be the victim of a ransomware attack and focus on implementing a ransomware resilience strategy to have contingencies in place to recover as quickly as possible.  

This includes endpoint protection solutions, aggressive patch management, segmented data backups, access controls, staff awareness training, and organizational procedure and resilience testing to be successful.

Research from earlier this year found that more than three-quarters of all ransomware-related vulnerability exploits observed throughout 2022 targeted older bugs disclosed between 2010 and 2019 for which patches were already available.  

Most of the vulnerabilities were low to medium severity levels, making it more likely that they were lower on an organization's priority list for patching or were simply never addressed.

For many of these vulnerabilities, exploits have been available for quite some time, and in many cases, the exploits have been built into toolkits and largely automated, so we're also seeing an increase in ransomware attacks displaying these more sophisticated attack sequences, but the use of zero-days of this caliber is almost unprecedented.

Organizations need to run regular tabletop exercises and ensure all stakeholders are ready and available to respond to an attack at all times. A determined attacker with enough time and resources is going to find a way around security controls.  

Planning for prevention of attacks – and equally important, to be resilient in the aftermath of a successful ransomware attack - is the best way to protect the organization.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.