The notorious threat actor Lace Tempest, recognized for distributing the Cl0p ransomware, has been implicated in exploiting a zero-day vulnerability in SysAid IT support software, as revealed by Microsoft. The identified issue, CVE-2023-47246, constitutes a path traversal flaw that could potentially lead to code execution within on-premise installations. SysAid has promptly addressed the vulnerability in version 23.3.36 of its software.
Furthermore, post-exploitation, Lace Tempest utilized SysAid to deploy a malware loader for the Gracewire malware, initiating human-operated activities such as lateral movement, data theft, and ransomware deployment. The threat actor employed various techniques, including uploading a WAR archive containing a web shell into the SysAid Tomcat web service, executing PowerShell scripts, and leveraging legitimate tools like MeshCentral Agent and Cobalt Strike.
Additionally, SysAid recommends organizations apply patches swiftly to prevent potential ransomware attacks and conduct thorough environment scans for signs of exploitation. The incident coincides with an FBI warning about ransomware attackers targeting businesses through third-party vendors and legitimate system tools.
At the same time, the Silent Ransom Group (SRG), also known as Luna Moth, was cited for conducting callback phishing attacks, using a phone number phishing attempt to trick victims into installing a legitimate system management tool. These attackers, upon successful compromise, utilized the management tool to install other authentic software for malicious purposes, compromising local files, network shared drives, exfiltrating victim data, and extorting the targeted companies.
References:
