Microsoft Uncovers Lace Tempest's Zero-Day Strike on SysAid IT Support Software

Recent findings from Microsoft reveal Lace Tempest's connection to a zero-day exploit targeting SysAid IT support software in isolated attacks. This notorious threat actor, recognized for disseminating the Cl0p ransomware, has previously capitalized on zero-day vulnerabilities in MOVEit Transfer and PaperCut servers.

The identified issue, CVE-2023-47246, involves a critical path traversal flaw that could allow code execution within on-premise SysAid installations. SysAid has swiftly addressed the vulnerability in version 23.3.36, but Lace Tempest's actions post-exploitation have raised concerns.

Following the exploitation, Lace Tempest utilized the SysAid platform to deploy a malware loader for the Gracewire malware. This launch typically precedes a series of manual operations, including lateral movement, data theft, and the deployment of ransomware.

Observations from SysAid indicate the threat actor's upload of a WAR archive into the webroot of the SysAid Tomcat web service, containing a web shell and additional payloads, providing backdoor access and executing malicious scripts.

In response, organizations using SysAid are urged to swiftly apply the available patches to defend against potential ransomware assaults and conduct thorough scans for any signs of exploitation before applying the fix.

This revelation aligns with the FBI's recent cautionary message, highlighting the tactics of ransomware attackers targeting third-party vendors and authentic system tools to infiltrate businesses. The FBI emphasized the Silent Ransom Group's phishing tactics involving callback numbers and the installation of legitimate system management tools, which were then weaponized for data theft, extortion, and malicious activity.