Security news that informs and inspires

Lace Tempest Seen Exploiting SysAid Zero Day

IT automation and asset management software provider SysAid is warning customers about a critical vulnerability in its on-premise software that attackers from the Lace Tempest threat group have been exploiting in active attacks.

The bug (CVE-2023-47246) emerged last week and Microsoft Threat Intelligence researchers identified the Lace Tempest actors as the group exploiting it. Lace Tempest is the same group that is responsible for exploiting the MoveIT Transfer vulnerability earlier this year, and is associated with the cl0p ransomware group. The vulnerability itself is a path traversal issue in the on-premises version of SysAid, a tool that’s used in a wide range of enterprises for asset management and automation.

In the attacks that Microsoft and SysAid have seen, the attackers exploited the vulnerability to upload a webshell and other files to the target system.

“The WebShell provided the attacker with unauthorized access and control over the affected system. Subsequently, the attacker utilized a PowerShell script, deployed through the WebShell, to execute a malware loader named user.exe on the compromised host, which was used to load the GraceWire trojan,” Sasha Shapirov, CTO of SysAid, said in a post.

“After this initial access and the deployment of the malware, the attacker utilized a second PowerShell script to erase evidence associated with the attacker’s actions from the disk and the SysAid on-prem server web logs. The investigation revealed that the attackers had been observed deploying the GraceWire loader.”

SysAid has released a fix for the vulnerability, and is encouraging customers to upgrade to version 23.3.36 as soon as possible. Lace Tempest is a dangerous and highly active threat group that has shown the capability and willingness to deploy ransomware in compromised environments. Though Microsoft and SysAid did not identify any ransomware incidents resulting from exploitation of this vulnerability as of yet, it’s a distinct possibility going forward, given the public information on the bug and Lace Tempest’s history.

“Given the potential for ransomware and extortion attacks, organizations with on-premise SysAid servers should apply the vendor-supplied patches on an emergency basis, invoking incident response procedures if possible, and ensure the server is not exposed to the public internet,” Caitlin Condon of Rapid7 said.