The threat actor known as Lace Tempest has been linked to the exploitation of a zero-day flaw in SysAid IT support software in limited attacks, according to new findings from Microsoft.
Lace Tempest, which is known for distributing the Cl0p ransomware, has in the past leveraged zero-day flaws in MOVEit Transfer and PaperCut servers.
The issue, tracked as CVE-2023-47246, concerns a path traversal flaw that could result in code execution within on-premise installations. It has been patched by SysAid in version 23.3.36 of the software.
“After exploiting the vulnerability, Lace Tempest issued commands via the SysAid software to deliver a malware loader for the Gracewire malware,” Microsoft said.
“This is typically followed by human-operated activity, including lateral movement, data theft, and ransomware deployment.”
According to SysAid, the threat actor has been observed uploading a WAR archive containing a web shell and other payloads into the webroot of the SysAid Tomcat web service.
The web shell, besides providing the threat actor with backdoor access to the compromised host, is used to deliver a PowerShell script that’s designed to execute a loader that, in turn, loads Gracewire.
Also deployed by the attackers is a second PowerShell script that’s used to erase evidence of the exploitation after the malicious payloads had been deployed.
Furthermore, the attack chains are characterized by the use of the MeshCentral Agent as well as PowerShell to download and run Cobalt Strike, a legitimate post-exploitation framework.
Organizations that use SysAid are highly recommended to apply the patches as soon as possible to thwart potential ransomware attacks as well as scan their environments for signs of exploitation prior to patching.
The development comes as the U.S. Federal Bureau of Investigation (FBI) warned that ransomware attackers are targeting third-party vendors and legitimate system tools to compromise businesses.
“As of June 2023, the Silent Ransom Group (SRG), also called Luna Moth, conducted callback phishing data theft and extortion attacks by sending victims a phone number in a phishing attempt, usually relating to pending charges on the victims’ account,” FBI said.
Should a victim fall for the ruse and call the provided phone number, the malicious actors directed them to install a legitimate system management tool via a link provided in a follow-up email.”
The attackers then used the management tool to install other authentic software that can be repurposed for malicious activity, the agency noted, adding the actors compromised local files and network shared drives, exfiltrated victim data, and extorted the companies.