- 구글 클라우드, 구글 워크스페이스용 제미나이 사이드 패널에 한국어 지원 추가
- The best MagSafe accessories of 2024: Expert tested and reviewed
- Threads will show you more from accounts you follow now - like Bluesky already does
- OpenAI updates GPT-4o, reclaiming its crown for best AI model
- Nile unwraps NaaS security features for enterprise customers
Microsoft and SysAid Find Clop Malware Vulnerability
SysAid has patched a zero-day vulnerability that could allow attackers to exfiltrate data and launch ransomware.
On Nov. 8, SysAid, an Israel-based IT service management software company, reported a potentially exploited zero-day vulnerability in their on-premises software. Users of their on-premises server installations were encouraged to run version 23.3.36, which contained a fix. Microsoft Threat Intelligence analyzed the threat and found that Lace Tempest had exploited it.
The vulnerability was exploited by the threat group Lace Tempest, which distributes the Clop malware, Microsoft Threat Intelligence said on Nov. 8 on X (formerly Twitter). The Microsoft security experts wrote, in part, “…Lace Tempest will likely use their access to exfiltrate data and deploy Clop ransomware.”
The ultimate goal of attacks like this is often lateral movement through a system, data theft and ransomware.
Jump to:
Profero diagnosed and SysAid patched the ransomware
After discovering the potential vulnerability on Nov. 2, SysAid called in Israel-based rapid incident response company Profero, which discovered the details of the vulnerability. Profero found that the attacker used a path traversal vulnerability to upload a WAR archive containing a WebShell and other payloads into the SysAid Tomcat web service’s webroot. From there, Lace Tempest delivered a malware loader for the Gracewire malware.
This vulnerability was recorded by MITRE as CVE-2023-47246.
How to protect against this Clop vulnerability
SysAid provided a list of indicators of compromise and steps to take in its blog post about this vulnerability. In order to protect your organization against this malware, SysAid emphasized the importance of downloading the patch. Organizations should review what information may have been stored within their SysAid server that might be appealing to attackers and check its activity logs for unauthorized behavior. Other recommended actions include updating SysAid systems and conducting a thorough compromise assessment of your SysAid server.
Clop malware has been used in high-profile ransoms
The Clop ransomware delivered by attackers to SysAid on-prem software through the path traversal vulnerability first appeared in 2019. Clop malware is associated with a Russian-aligned threat actor group known by the same name, which Microsoft says has “overlaps” with Lace Tempest. In June 2023, Microsoft found Lace Tempest running the extortion site that uses Clop malware.
SEE: What will cybersecurity look like next year? Google Cloud’s cybersecurity trends to watch in 2024 include generative AI-based attacks (TechRepublic)
The Clop ransomware group has claimed responsibility for several major attacks in 2023. In June, they threatened to expose data from British Airways, BBC and the British retailer Boots. They were also allegedly behind the MOVEit Transfer ransomware attack in June.