A new malicious campaign is taking advantage of a zero-day vulnerability in the popular SysAid IT helpdesk software to deploy the Clop ransomware, Microsoft has warned.

Tracked by Microsoft as Lace Tempest (aka DEV-0950, FIN11 and TA505), the threat actor is believed to be an affiliate of the Clop ransomware gang, previously linked to a large-scale hacking campaign that exploited a zero-day vulnerability (CVE-2023-34362) in Progress Software's MOVEit file transfer app, which is used by thousands of organizations around the world to deploy ransomware. The MOVEit campaign is said to have impacted more than 2,500 organizations and over 70 million individuals.

The new campaign involves CVE-2023-47246, a path traversal issue in the SysAid software that can lead to remote code execution. Microsoft’s threat intelligence team said that Lace Tempest issued commands via the SysAid software to deliver a malware loader for the Gracewire malware, which is typically followed by human-operated activity, including lateral movement, data theft, and ransomware deployment.

“Organizations using SysAid should apply the patch and look for any signs of exploitation prior to patching, as Lace Tempest will likely use their access to exfiltrate data and deploy Clop ransomware,” the tech giant advised.