Ransomware gang behind MOVEit attacks is targeting new zero-day, Microsoft says

The Russian ransomware gang behind the exploitation of several popular file transfer tools is now exploiting a new vulnerability in SysAid IT support software, according to a new report.

On Wednesday night, security officials at Microsoft said the Clop ransomware gang — which they refer to as Lance Tempest — is targeting new victims through the bug, which SysAid patched after being informed of the attacks. SysAid allows customers to manage a suite of IT services.

“Organizations using SysAid should apply the patch and look for any signs of exploitation prior to patching, as Lace Tempest will likely use their access to exfiltrate data and deploy Clop ransomware,” Microsoft said.

In the attacks tracked by Microsoft, the hackers delivered the Gracewire malware which was then followed by attempts to move throughout a victim network before data was stolen and ransomware was deployed.

SysAid published an advisory about the vulnerability — tracked as CVE-2023-47246. The company said it was informed of the issue on November 2 and hired security company Profero to investigate the problem. They have been reaching out to customers about the issue and urged everyone to update their systems to the latest version.

The company provided detailed information about how the hackers are exploiting the vulnerability and what actions they take after gaining entry into a system.

The vulnerability caused alarm among security experts, some of whom said they saw exploitation dating back to October 30.

Incident responders at Rapid7 and other researchers said searches on Shodan showed anywhere from 416 to 384 SysAid instances exposed on the internet. Rapid7 noted that “exposed” does not necessarily imply that those instances are vulnerable.

SysAid https://t.co/5HSFColHxY— Germán Fernández (@1ZRR4H) November 9, 2023

SysAid’s website says it has more than 5,000 customers, many of which are large companies like Bacardi as well as multiple hospitals, governments and universities.

The Clop ransomware gang’s attacks on the MOVEit file transfer software earlier this year caused security incidents within governments, universities and businesses across the world.

More than 2,500 organizations were affected and data from nearly 70 million people was accessed by the gang, which is reported to have earned anywhere from $75 million to $100 million just from ransoms during the MOVEit campaign.

Victims are still coming forward, with Texas Health and Human Services Commission warning this week that recipients of Texas Medicaid had their information accessed through the MOVEit incident.

The gang has made a point of targeting popular file transfer tools, attacking products like GoAnywhere and Accellion in addition to MOVEit.

After months of silence, the Clop ransomware gang this week began posting new victims, with some wondering whether they were leftover organizations affected by the MOVEit hacks or evidence of a new attack campaign.

The gang added Texas Wesleyan University in Fort Worth, Texas to its leak site this week. Last Friday, the school posted a notice of a security incident where hackers accessed sensitive information from students and employees.

The information accessed includes Social Security numbers, passport information, financial account information, and medical information.

The school did not say how many people were affected or whether it was related to SysAid or MOVEit.

“On October 6, 2023, TXWES experienced a network disruption that impacted the functionality and access of certain systems,” the school said.

“Upon discovery of this incident, TXWES immediately disconnected all access to the network and promptly engaged a specialized third-party cybersecurity firm and IT personnel to assist with securing the environment, as well as, to conduct a comprehensive forensic investigation to determine the nature and scope of the incident. While the forensic investigation remains ongoing, TXWES found evidence to suggest some TXWES files were accessed by an unauthorized actor.”