A zero-day vulnerability in the SysAid IT service management solution is being exploited by the Lace Tempest (aka FIN11, DEV-0950, TA505) threat group to gain access to SysAid servers, steal data, and deploy Clop ransomware.

The threat group is well known for exploiting zero-day vulnerabilities. Before the latest campaign, the group exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer solution, stole data, and attempted to extort more than 2,000 victims. Earlier this year, a zero-day vulnerability was exploited in another file transfer solution, Fortra’s GoAnywhere MFT, and before that in 2021, the group exploited a zero-day vulnerability in the Accellion FTA.

The SysAid vulnerability was identified on November 2, 2023, after it had been exploited. The vulnerability, tracked as CVE-2023-47246, was identified by Microsoft, which notified SysAid. The attacks detected by Microsoft were attributed to the Lace Tempest group.

CVE-2023-47246 is a path traversal vulnerability in SysAid’s on-premises software that can be exploited to execute unauthorized code. In one of the attacks, the threat actor exploited the flaw to upload a Web Application Resource (WAR) archive containing a webshell to the webroot of the SysAid Tomcat web service. The webshell allowed the threat actor to execute PowerShell scripts to load GraceWire malware into a legitimate process such as spoolsv.exe, msiexec.exe, or svchost.exe. The malware checks for Sophos security software, and if not present, will be used to deploy additional scripts. In one attack, a Cobalt Strike listener was deployed on compromised hosts. After exfiltrating sensitive data, Clop ransomware was deployed and executed.

Given the speed at which the group has exploited vulnerabilities in the past, immediate action is required to fix the flaw. SysAid has released a patch and all SysAid users are being strongly encouraged to update to version 23.3.36 or later as soon as possible to prevent exploitation. After upgrading to the latest version, servers should be checked for signs of compromise. SysAid has published a list of Indicators of Compromise (IoCs) in its recent report on the attacks exploiting the flaw. SysAid also recommends reviewing any credentials or other information that would have been available to someone with full access to the SysAid server an to check any relevant activity logs for suspicious behavior.

The post SysAid Zero-Day Vulnerability Exploited to Deploy Clop Ransomware appeared first on HIPAA Journal.

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency, Office of the Director of National Intelligence, and partners have released guidance on software bill of materials (SBOM) generation and consumption, as part of ongoing efforts to better secure the software supply chain.

The guidance was developed by the Software Supply Chain Working Panel, which was established by the Enduring Security Framework (ESF) and is a collaborative partnership across private industry, academia, and government. The Working Panel has developed a three-part Recommended Practices Guide series, that covers best practices to help ensure a more secure software supply chain for developers, suppliers, and customer stakeholders.

The latest guidance is aimed at software developers and suppliers, and includes industry best practices and principles, including managing open source software and SBOM to maintain and provide awareness about the security of software.

Cyber actors are increasingly targeting the software supply chain and are searching for software vulnerabilities that can be exploited to allow them to attack all users of the software, such as the 2020 cyberattack on the SaaS provider SolarWinds. The attack is believed to have been conducted by the Russian state-sponsored hacking group Cozy Bear, which compromised the SolarWinds Orion IT performance and monitoring solution and added a backdoor. When a software update was rolled out to customers, so was the backdoor, resulting in the compromising of an estimated 18,000 systems. The hackers then conducted follow on activities on selected high value targets.

Cyber actors also take advantage of vulnerabilities in open source software and third-party components, such as the Log4Shell vulnerability in the Log4j logging tool, which is used by millions of computers worldwide. When a critical vulnerability was identified and patches were released, they could only be applied if it was known that Log4j was used. Because Log4j was a component of many different software solutions, the vulnerability went unaddressed as many users were unaware that they were vulnerable.

One of the ways that the security of the software supply chain can be improved is by having a complete SBOM that includes all software components and dependencies. The SBOM can be rapidly queried to determine if a vulnerable software component is used and steps can then be taken to address the problem. The latest guidance document is part of the ESF Software Supply Chain Working Panel’s second phase of guidance, which provides further details on the SBOMs that were recommended in the Phase 1 Recommended Practices Guides.

According to CISA, the guidance can be used as a basis for describing, assessing, and measuring security practices relative to the software lifecycle and the suggested practices can be applied across the acquisition, deployment, and operational phases of a software supply chain. The guidance includes recommendations in line with industry best practices and principles which software developers and software suppliers are encouraged to reference, and includes managing open source software and SBOMs to maintain and provide awareness about the security of software.

While the guidance provides recommendations for SBOM generation and consumption processes, implementing these recommendations will be a challenge for many organizations as it will require considerable investment and resources that many organizations currently lack.

The post CISA Issues Software Bill of Materials Guidance appeared first on HIPAA Journal.