Hacker Group Behind MOVEit Now Targeting ITSM Platform, Microsoft Says

The group behind the widely felt MOVEit data extortion attacks is now exploiting a vulnerability in SysAid, a competitor to ServiceNow and Jira in the IT service management market.


The cybercriminal group behind data extortion attacks including this year’s MOVEit campaign has been observed exploiting a now-patched vulnerability in the SysAid IT service management platform, according to Microsoft researchers.

In a post Thursday evening on X, Microsoft’s threat research team said it has “discovered exploitation of a 0-day vulnerability in the SysAid IT support software.”

[Related: Hackers Hit The IT Industry: 12 Companies Targeted In 2023]

Sponsored post

Microsoft attributed the attacks to “a threat actor that distributes Clop ransomware,” which it tracks under the name “Lace Tempest.” Researchers at Microsoft previously identified Lace Tempest as the threat actor behind the widespread attacks against customers of Progress’ MOVEit file transfer tool.

“Organizations using SysAid should apply the patch and look for any signs of exploitation prior to patching, as Lace Tempest will likely use their access to exfiltrate data and deploy Clop ransomware,” Microsoft’s threat team said on X, the social media site formerly known as Twitter.

CRN has reached out to SysAid for comment.

SysAid is a competitor in the IT service management market to platforms such as ServiceNow, Ivanti Neurons for ITSM and Atlassian’s Jira. The company focuses on the midmarket, according to Gartner. In the research firm’s 2022 Magic Quadrant for ITSM, Gartner ranked SysAid among the “niche players.”

SysAid had posted earlier Thursday that it had identified a zero-day vulnerability (tracked at CVE-2023-47246) impacting its on-premises software on Nov. 2. The company announced a patch for the issue in the advisory Thursday.

“We urge all customers with SysAid on-prem server installations to ensure that your SysAid systems are updated to version 23.3.36, which remediates the identified vulnerability, and conduct a comprehensive compromise assessment of your network to look for any indicators further discussed [in the advisory],” SysAid said in its post.