Home Malware Lace Tempest Exploits SysAid IT Support Software Vulnerability | Cybersecurity

Lace Tempest Exploits SysAid IT Support Software Vulnerability | Cybersecurity

Malware

Cyber.jpg

Nov 09, 2023. NewsroomVulnerability / Zero Day.

The threat actor known as Lace Tempest has been linked to the exploitation of a zero-day flaw in SysAid IT support software in limited attacks, according to new findings from Microsoft.

Lace Tempest, which is known for distributing the Cl0p ransomware, has in the past leveraged zero-day flaws in MOVEit Transfer and PaperCut servers.

The issue, tracked as CVE-2023-47246, concerns a path traversal flaw that could result in code execution within on-premise installations. It has been patched by SysAid in version 23.3.36 of the software.

“After exploiting the vulnerability, Lace Tempest issued commands via the SysAid software to deliver a malware loader for the Gracewire malware,” Microsoft said.

“This is typically followed by human-operated activity, including lateral movement, data theft, and ransomware deployment.”

According to SysAid, the threat actor has been observed uploading a WAR archive containing a web shell and other payloads into the webroot of the SysAid Tomcat web service.

The web shell, besides providing the threat actor with backdoor access to the compromised host, is used to deliver a PowerShell script that’s designed to execute a loader that, in turn, loads Gracewire.

Also deployed by the attackers is a second PowerShell script that’s used to erase evidence of the exploitation after the malicious payloads had been deployed.

Furthermore, the attack chains are characterized by the use of the MeshCentral Agent as well as PowerShell to download and run Cobalt Strike, a legitimate post-exploitation framework.

Organizations that use SysAid are highly recommended to apply the patches as soon as possible to thwart potential ransomware attacks as well as scan their environments for signs of exploitation prior to patching.

The development comes as the U.S. Federal Bureau of Investigation (FBI) warned that ransomware attackers are targeting third-party vendors and legitimate system tools to compromise…

read more thehackernews.com

FTC: We use income earning affiliate links. More on Sposored links.
Terms of use and third-party services. More here.

“The adventure of life is to learn. The purpose of life is to grow. The nature of life is to change. The challenge of life is to overcome. The essence of life is to care. The opportunity of like is to serve. The secret of life is to dare. The spice of life is to befriend. The beauty of life is to give.” —William Arthur Ward

Related Posts

00ixaidywf70eisepars9v0 1.fit Lim.size 1200x630.v1701262622.jpg
Malware

Use Google Chrome? Update Your Browser Immediately | Tech Video

1701192961657.jpeg
Malware

Ransomware gangs and Living Off the Land (LOTL) attacks: A deep dive | Malware

Header 2.png
Malware

ownCloud vulnerability can be used to extract admin passwords | Malware

Weinar.jpg
Malware

Transform Your Data Security Posture – Learn from SoFi’s DSPM Success | Cybersecurity

Password.jpg
Malware

How Hackers Phish for Your Users’ Credentials and Sell Them | Cybersecurity

Macos Malware.jpg
Malware

N. Korean Hackers ‘Mixing’ macOS Malware Tactics to Evade Detection | Cybersecurity