Microsoft has recently identified that the threat actor Lace Tempest is exploiting a zero-day vulnerability in SysAid IT support software. This group is notorious for its distribution of the Cl0p ransomware and has previously exploited zero-day flaws in MOVEit Transfer and PaperCut servers.
The current vulnerability, identified as CVE-2023-47246, is a path traversal flaw that could lead to code execution within on-premise installations of the software. SysAid has addressed this issue in the 23.3.36 version of their software.
Microsoft revealed that, "After exploiting the vulnerability, Lace Tempest issued commands via the SysAid software to deliver a malware loader for the Gracewire malware." This is typically followed by human-operated activity, including lateral movement, data theft, and ransomware deployment.
SysAid has observed Lace Tempest uploading a WAR archive containing a web shell and other payloads into the webroot of the SysAid Tomcat web service. This web shell not only provides the threat actor with backdoor access to the compromised host, but also delivers a PowerShell script designed to execute a loader that loads Gracewire.
The attackers also deploy a second PowerShell script that erases evidence of the exploitation after the malicious payloads have been deployed. The attack chains are characterized by the use of the MeshCentral Agent and PowerShell to download and run Cobalt Strike, a legitimate post-exploitation framework.
Organizations using SysAid are strongly advised to apply the patches immediately to prevent potential ransomware attacks and to scan their environments for signs of exploitation prior to patching.
This development follows a warning from the U.S. Federal Bureau of Investigation (FBI) that ransomware attackers are targeting third-party vendors and legitimate system tools to compromise businesses. The FBI noted that, "As of June 2023, the Silent Ransom Group (SRG), also called Luna Moth, conducted callback phishing data theft and extortion attacks by sending victims a phone number in a phishing attempt, usually relating to pending charges on the victims' account."
Should a victim fall for this trick and call the provided phone number, the malicious actors directed them to install a legitimate system management tool via a link provided in a follow-up email. The attackers then used this management tool to install other genuine software that can be repurposed for malicious activity, compromising local files and network shared drives, exfiltrating victim data, and extorting the companies.