In a recent revelation, SysAid, a leading IT management software provider, has unveiled a critical security threat affecting its on-premises software. The threat actor, identified as DEV-0950 or Lace Tempest by Microsoft, previously linked to the notorious Clop ransomware group, is now exploiting a zero-day vulnerability labeled CVE-2023-47246. This vulnerability, if left unaddressed, can pave the way for unauthorized access and control over systems, posing a substantial risk to organizations. In this blog post, we’ll uncover the SysAid Zero-Day flaw and will shed light on possible mitigation measures.
SysAid, in a blog post, disclosed the active exploitation of a path traversal zero-day vulnerability by Lace Tempest. This revelation follows Microsoft’s early detection of the exploitation, prompting immediate action from SysAid. The gravity of the Lace Tempest cybersecurity
had earlier orchestrated widespread attacks on MoveIT Transfer product users, affecting numerous organizations, including U.S. government agencies.
On November 2, Microsoft detected the exploitation of the SysAid vulnerability and promptly reported it to SysAid. The threat actor, Lace Tempest, was swiftly identified as the orchestrator behind the malicious activity. The association with Clop ransomware raised concerns, considering Lace Tempest’s involvement in previous attacks that involved data theft and ransom threats.
SysAid shed light on the intricacies of the zero-day exploit in SysAid orchestrated by Lace Tempest. The threat actor employed PowerShell to obfuscate their actions, making it challenging for incident response teams to investigate effectively. The modus operandi involved uploading a WebShell-containing WAR archive into the webroot of the SysAid Tomcat web service. This, in turn, granted unauthorized access and control over the compromised system.
The SysAid security update revealed the urgency to take immediate action by upgrading to the fixed version 23.3.36. The company emphasized the need for users to proactively search for indicators of compromise and, if necessary, undertake further remediation. Given the severity of the threat, SysAid stressed the importance of adhering to incident response playbooks and promptly installing available patches. Users were specifically warned to be vigilant for unauthorized access attempts and suspicious file uploads within the webroot directory of the Tomcat web service.
SysAid underscored the criticality of proactive measures to secure installations and mitigate risks. Users were advised to review credential information, scrutinize logs for any unusual activity, and monitor for the presence of WebShell files. The urgency conveyed by SysAid reflects the potential consequences of not promptly addressing the zero-day vulnerability.
In a separate statement on X (formerly Twitter), Microsoft Threat Intelligence corroborated the discovery of exploitation activity related to the SysAid software vulnerability. After notifying SysAid, Microsoft acknowledged the swift patching of the vulnerability. The tech giant, in addition to urging users to patch their systems, cautioned organizations to conduct thorough searches for signs of exploitation before applying patches. Microsoft highlighted that Lace Tempest might leverage their access to exfiltrate data and deploy Clop ransomware, drawing parallels with their tactics in the MoveIT Transfer attacks.
SysAid, upon learning of the security risk in its on-premises software, acted promptly. The company engaged expert support to investigate and address the issue swiftly. Communication with on-premises customers commenced immediately, ensuring the implementation of a workaround solution. A comprehensive product upgrade, featuring enhanced security measures, has been rolled out to address the identified security risk. SysAid expressed gratitude for the collaborative support from Microsoft’s Defender team throughout their response to the issue.
The Lace Tempest cyber attack underscores the persistent and evolving nature of cyber threats. In the face of such challenges, proactive measures, timely patching, and close collaboration with cybersecurity experts are paramount. Organizations must remain vigilant, adopting a comprehensive approach to cybersecurity to safeguard their systems and sensitive data from any zero-day vulnerability in IT systems. As technology advances, so do the threats, making it imperative for businesses to stay one step ahead in the ongoing battle for digital security.
The sources for this piece include articles in The Hacker News and Bleeping Computer.
The post Lace Tempest Exploits SysAid Zero-Day Flaw appeared first on TuxCare.
*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/lace-tempest-exploits-sysaid-zero-day-flaw/