The notorious Cl0p ransomware gang has been caught exploiting a new zero-day vulnerability in the SysAid IT support software.
The hacker group behind the wave of MOVEit Transfer-related attacks, the Russia-linked Cl0p ransomware cartel, isn’t resting on its laurels.
According to researchers at Microsoft Threat Intelligence, the threat actors have been exploiting a previously unknown bug in the SysAid IT support software.
SysAid is an Israel-based international software company whose products are used by tens of thousands of organizations worldwide. SysAid provides tools to support IT operations, such as help desk, asset management, remote control, patch management, and other services.
According to SysAid, the vulnerability tracked as CVE-2023-47246 affects its on-premise software. The company urged its customers to update their SysAid software to version 23.3.36, which remediates the identified vulnerability.
The vulnerability allowed attackers to upload a WAR archive with a WebShell and other payloads in the webroot of the SysAid Tomcat web service. Once the WebShell is deployed, it grants attackers unauthorized access to the affected system.
According to Microsoft, after exploiting the bug, Lace Tempest, a threat actor that distributes Cl0p ransomware, issued commands via the SysAid software.
“After exploiting the vulnerability, Lace Tempest issued commands via the SysAid software to deliver a malware loader for the Gracewire malware. This is typically followed by human-operated activity, including lateral movement, data theft, and ransomware deployment,” researchers said.
Who is behind Cl0p?
Earlier this year, the Cl0p ransomware cartel exploited a zero-day bug in the MOVEit Transfer software, allowing attackers to access and download stored data.
According to researchers at Emsisoft, over 2,500 organizations – mainly in the US – and over 66 million individuals have been impacted by MOVEit attacks by the Russia-linked ransomware cartel.
Taking IBM’s estimate, which puts the cost of an average data breach at $165 per leaked record, the impact of Cl0p attacks would add up to a staggering $10.7 billion.
Cl0p goes by a few different names. People in the cyber industry know the syndicate as TA505, Lace Tempest, Dungeon Spider, and FIN11. The gang is quite old, having been first observed back in 2019.
Earlier this summer, Cybernews received evidence that one of the Cl0p ransomware strain developers was in the city of Kramatorsk in Eastern Ukraine, on the front line of the Russia-Ukraine war.
Recent reports into how the gang distributes stolen data indicate that they employ virtual private server (VPS) hosting services, with servers physically located in Russia’s two largest cities: Moscow and Saint Petersburg.
More from Cybernews:
Subscribe to our newsletter