Software maker SysAid is warning customers that hackers linked to a notorious ransomware gang are exploiting a newly discovered vulnerability in its widely used IT service automation software.
SysAid chief technology officer Sasha Shapirov confirmed in a blog post Wednesday that attackers are exploiting a zero-day flaw affecting its on-premises software. A vulnerability is considered a zero-day when the vendor — in this case SysAid — has zero time to fix the bug before it is exploited by attackers.
SysAid said it learned about the vulnerability on November 2 after Microsoft notified the company about the issue. The bug is described as a path traversal flaw that allows attackers to run malicious code on an affected system.
In a statement given to TechCrunch, SysAid spokesperson Eyal Zombek said the company “moved quickly to appoint expert support to help us investigate and address the issue” and “immediately began communicating with our on-premise customers about the matter.”
Software that typically requires broad access to a company’s network and systems to run properly, such as IT automation and monitoring software, can be a target for hackers seeking to maliciously hijack that access.
Microsoft’s Threat Intelligence team said in a series of posts on X (formerly Twitter) that its researchers had linked exploitation of the SysAid vulnerability to a hacking group it tracks as “Lace Tempest,” known more commonly as the Clop ransomware group. The notorious Russia-linked ransomware gang was previously linked to the mass-hacks exploiting a zero-day flaw in MOVEit Transfer, a file transfer service used by thousands of enterprises worldwide, which has so far impacted more than 2,500 organizations and more than 67 million individuals, according to cybersecurity company Emsisoft.
Microsoft said that in the case of the SysAid flaw, the attackers “issued commands via the SysAid software to deliver a malware loader for the Gracewire malware.” Microsoft added that the malware drop is “typically followed by human-operated activity, including lateral movement, data theft, and ransomware deployment.”
Microsoft said the gang “will likely use their access to exfiltrate data and deploy Clop ransomware,” citing the similar exploitation of thousands of MOVEit systems by the ransomware gang in June.
SysAid urged its customers to look for any signs of exploitation and to update their SysAid software to version 23.3.36, which the company released on November 8 to remediate the vulnerability.
It is not yet known when the SysAid attacks began, though Elastic Security tech lead Joe Desimone posted on X that they observed exploitation of the vulnerability as early as October 30.
On its website, the company says it has more than 5,000 customers across 140 countries. These customers span various industries such as education, government and healthcare. SysAid has not said how many customers are affected or whether it has seen any evidence of data exfiltration from its customer environments.
SysAid’s spokesperson would not answer TechCrunch’s questions.