Lace Tempest Strikes Again: Unveiling the Zero-Day Tango with SysAid, Microsoft’s Discovery, and the FBI’s Warning on Ransomware’s Sneaky Tactics

New findings from Microsoft reveal that Lace Tempest, the threat actor notorious for distributing the Cl0p ransomware, is now associated with exploiting a zero-day vulnerability in SysAid IT support software in targeted attacks. Lace Tempest has a history of leveraging zero-day flaws in MOVEit Transfer and PaperCut servers.

The identified issue, designated as CVE-2023–47246, pertains to a path traversal flaw that could lead to code execution within on-premise installations. SysAid has addressed this vulnerability in version 23.3.36 of its software.

Following the exploitation of the vulnerability, Lace Tempest utilized SysAid software to issue commands, delivering a malware loader for the Gracewire malware. This is typically succeeded by human-operated activities such as lateral movement, data theft, and the deployment of ransomware.

SysAid reports that Lace Tempest has been observed uploading a WAR archive with a web shell and other payloads into the webroot of the SysAid Tomcat web service. The web shell grants the threat actor backdoor access to the compromised host and is instrumental in delivering a PowerShell script designed to execute a loader that loads Gracewire. Additionally, a second PowerShell script is deployed to erase evidence of the exploitation after the malicious payloads are deployed.

The attack chains are further characterized by the use of the MeshCentral Agent and PowerShell to download and run Cobalt Strike, a legitimate post-exploitation framework. Organizations utilizing SysAid are strongly advised to promptly apply the provided patches to prevent potential ransomware attacks. It is also recommended for them to scan their environments for signs of exploitation prior to patching.

This development aligns with a warning from the U.S. Federal Bureau of Investigation (FBI), indicating that ransomware attackers are focusing on third-party vendors and legitimate system tools to compromise businesses. The FBI highlighted the activities of the Silent Ransom Group (SRG), also known as Luna Moth, involving callback phishing data theft and extortion attacks. Victims were targeted through phishing attempts, leading them to install a legitimate system management tool via a provided link in a follow-up email. The attackers then utilized this tool to install other authentic software for malicious purposes, compromising local files, network shared drives, exfiltrating victim data, and extorting companies.

Happy Hunting!

— threathuntress