{ "id": "9ae6f8bf-b82a-4c30-943b-7c3927233179", "created_at": "2026-04-06T00:08:12.122213Z", "updated_at": "2026-04-10T03:36:36.990388Z", "deleted_at": null, "sha1_hash": "63e40e92f4935b40f57ee280a74747de2314de11", "title": "Microsoft: SysAid zero-day flaw exploited in Clop ransomware attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2589900, "plain_text": "Microsoft: SysAid zero-day flaw exploited in Clop ransomware attacks\r\nBy Bill Toulas\r\nPublished: 2023-11-09 · Archived: 2026-04-05 19:14:14 UTC\r\nThreat actors are exploiting a zero-day vulnerability in the service management software SysAid to gain access to corporate\r\nservers for data theft and to deploy Clop ransomware.\r\nSysAid is a comprehensive IT Service Management (ITSM) solution that provides a suite of tools for managing various IT\r\nservices within an organization.\r\nThe Clop ransomware is notorious for exploiting zero-day vulnerabilities in widely used software. Recent examples include\r\nMOVEit Transfer, GoAnywhere MFT, and Accellion FTA.\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-sysaid-zero-day-flaw-exploited-in-clop-ransomware-attacks/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-sysaid-zero-day-flaw-exploited-in-clop-ransomware-attacks/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nCurrently identified as CVE-2023-47246, the vulnerability was discovered on November 2 after hackers exploited it to\r\nbreach on-premise SysAid servers.\r\nThe Microsoft Threat Intelligence team discovered the security issue being leveraged in the wild and alerted SysAid.\r\nMicrosoft determined that the vulnerability was used to deploy Clop ransomware by a threat actor it tracks as Lace Tempest\r\n(a.k.a. Fin11 and TA505).\r\nAttack details\r\nSysAid published a report on Wednesday disclosing that CVE-2023-47246 is a path traversal vulnerability that leads to\r\nunauthorized code execution. The company also shares technical details of the attack uncovered following an investigation\r\nfrom rapid incident response company Profero. \r\nThe threat actor leveraged the zero-day flaw to upload into the webroot of the SysAid Tomcat web service a WAR (Web\r\nApplication Resource) archive containing a webshell.\r\nThis enabled the threat actors to execute additional PowerShell scripts and load the GraceWire malware, which was injected\r\ninto a legitimate process (e.g.spoolsv.exe, msiexec.exe, svchost.exe).\r\nThe report notes that the malware loader ('user.exe') checks running processes to ensure that Sophos security products are\r\nnot present on the compromised system.\r\nMalware loader (SysAid)\r\nAfter exfiltrating data, the threat actor tried to erase their tracks by using another PowerShell script that deleted activity logs.\r\nMicrosoft also noticed that Lace Tempest deployed additional scripts that fetched a Cobalt Strike listener on compromised\r\nhosts.\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-sysaid-zero-day-flaw-exploited-in-clop-ransomware-attacks/\r\nPage 3 of 5\n\nPS script to erase attack traces (SysAid)\r\nSecurity update available\r\nAfter learning of the vulnerability, SysAid worked quickly to develop a patch for CVE-2023-47246, which is available in a\r\nsoftware update. All SysAid users are strongly recommended to switch to version 23.3.36 or later.\r\nSystem administrators should also check servers for signs of compromise by following the steps below:\r\n1. Check the SysAid Tomcat webroot for unusual files, especially WAR, ZIP, or JSP files with anomalous timestamps.\r\n2. Look for unauthorized WebShell files in the SysAid Tomcat service and inspect JSP files for malicious content.\r\n3. Review logs for unexpected child processes from Wrapper.exe, which may indicate WebShell use.\r\n4. Check PowerShell logs for script executions that align with the attack patterns described.\r\n5. Monitor key processes like spoolsv.exe, msiexec.exe, svchost.exe for signs of unauthorized code injection.\r\n6. Apply provided IOCs to identify any signs of the vulnerability being exploited.\r\n7. Search for evidence of specific attacker commands that indicate system compromise.\r\n8. Run security scans for known malicious indicators related to the vulnerability.\r\n9. Look for connections to the listed C2 IP addresses.\r\n10. Check for signs of attacker-led cleanup to conceal their presence.\r\nSysAid's report provides indicators of compromise that could help detect or prevent the intrusion, which consist in filenames\r\nand hashes, IP addresses, file paths used in the attack, and commands the threat actor used to download malware or to delete\r\nevidence of initial access.\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-sysaid-zero-day-flaw-exploited-in-clop-ransomware-attacks/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/microsoft-sysaid-zero-day-flaw-exploited-in-clop-ransomware-attacks/\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-sysaid-zero-day-flaw-exploited-in-clop-ransomware-attacks/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/microsoft-sysaid-zero-day-flaw-exploited-in-clop-ransomware-attacks/" ], "report_names": [ "microsoft-sysaid-zero-day-flaw-exploited-in-clop-ransomware-attacks" ], "threat_actors": [ { "id": "c61fb5f8-fcd6-43e8-8b2d-4e81541589f7", "created_at": "2023-11-14T02:00:07.071699Z", "updated_at": "2026-04-10T02:00:03.440831Z", "deleted_at": null, "main_name": "DEV-0950", "aliases": [ "Lace Tempest" ], "source_name": "MISPGALAXY:DEV-0950", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6728f306-6259-4e7d-a4ea-59586d90a47d", "created_at": "2023-01-06T13:46:39.175292Z", "updated_at": "2026-04-10T02:00:03.236282Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "TEMP.Warlock", "UNC902" ], "source_name": "MISPGALAXY:FIN11", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "1db21349-11d6-4e57-805c-fb1e23a8acab", "created_at": "2022-10-25T16:07:23.630365Z", "updated_at": "2026-04-10T02:00:04.694622Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "Chubby Scorpius", "DEV-0950", "Lace Tempest", "Operation Cyclone" ], "source_name": "ETDA:FIN11", "tools": [ "AZORult", "Amadey", "AmmyyRAT", "AndroMut", "BLUESTEAL", "Cl0p", "EMASTEAL", "FLOWERPIPE", "FORKBEARD", "FRIENDSPEAK", "FlawedAmmyy", "GazGolder", "Get2", "GetandGo", "JESTBOT", "MINEBRIDGE", "MINEBRIDGE RAT", "MINEDOOR", "MIXLABEL", "Meterpreter", "NAILGUN", "POPFLASH", "PuffStealer", "Rultazo", "SALTLICK", "SCRAPMINT", "SHORTBENCH", "SLOWROLL", "SPOONBEARD", "TiniMet", "TinyMet", "VIDAR", "Vidar Stealer" ], "source_id": "ETDA", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434092, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/63e40e92f4935b40f57ee280a74747de2314de11.pdf", "text": "https://archive.orkl.eu/63e40e92f4935b40f57ee280a74747de2314de11.txt", "img": "https://archive.orkl.eu/63e40e92f4935b40f57ee280a74747de2314de11.jpg" } }