Title: Lace Tempest Exploits Zero-Day Flaw in SysAid IT Support Software for Ransomware Attacks
In recent findings revealed by Microsoft, notorious threat actor Lace Tempest has been linked to the exploitation of a zero-day vulnerability in SysAid IT support software. This newfound revelation unveils the latest tactics employed by cybercriminals as they continue to evolve their techniques for disseminating the Cl0p ransomware.
The vulnerability in question, coded as CVE-2023-47246, is a path traversal flaw that possesses the potential to execute malicious code in on-premise installations. In response to this alarming discovery, SysAid has taken immediate action and released a patch in version 23.3.36 to rectify the issue.
Lace Tempest leverages this vulnerability as an entry point to introduce a malware loader for the Gracewire malware, which is subsequently followed by a series of human-operated activities. These actions encompass lateral movement, data theft, and ultimately the deployment of ransomware onto targeted systems.
According to SysAid’s report, the threat actor utilizes a WAR archive, housing a web shell and other payloads, to infiltrate the webroot of the SysAid Tomcat web service. With the aid of the web shell, the attacker gains unauthorized access while simultaneously employing a PowerShell script to execute the loader responsible for loading Gracewire. Another PowerShell script is utilized to erase any evidence of the infiltration, leaving little trace behind.
The attack chain orchestrated by Lace Tempest involves the utilization of the MeshCentral Agent and PowerShell to download and execute Cobalt Strike, which is a legitimate post-exploitation framework. By taking advantage of trusted software, the threat actor cunningly bypasses security measures, further complicating detection and prevention efforts.
To safeguard against potential ransomware attacks, organizations employing SysAid are urgently advised to promptly apply the provided patches and conduct thorough scans of their environments for any indicators of exploitation. By taking these proactive measures, businesses can fortify their defenses and mitigate the risk of falling victim to Lace Tempest’s nefarious activities.
In other news, the FBI has recently issued a warning regarding ransomware attackers targeting third-party vendors and legitimate system tools to compromise businesses. The Silent Ransom Group, also known as Luna Moth, has been employing callback phishing, data theft, and extortion tactics. These cybercriminals deceive victims into contacting a specified phone number and subsequently installing a seemingly legitimate system management tool. However, once installed, this tool is hijacked by the attackers to facilitate the installation of additional malicious software, thereby compromising local files, network shared drives, and inflicting financial harm on targeted companies.
The evolving strategies employed by these threat actors highlight the need for heightened cybersecurity measures, emphasizing the importance of staying informed and implementing timely security updates. With ransomware attacks becoming more sophisticated and prevalent, organizations must remain vigilant and proactive in protecting their digital assets from the ever-looming dangers of cybercriminals.
“Prone to fits of apathy. Devoted music geek. Troublemaker. Typical analyst. Alcohol practitioner. Food junkie. Passionate tv fan. Web expert.”