November 9, 2023 at 07:40AM
Cybercriminals associated with the Cl0p ransomware gang, known as Lace Tempest, have exploited a zero-day vulnerability in on-prem versions of IT service and help desk software SysAid. Microsoft’s Threat Intelligence discovered the exploits and reported them to SysAid, who promptly released patches. The attackers used a new path traversal vulnerability to gain control over the system and deploy malware. Users are advised to upgrade to the latest version, monitor for suspicious activity, and install patches promptly. Lace Tempest’s capabilities are comparable to an APT group, and they have been responsible for major attacks this year, including the MOVEit exploits and the GoAnywhere breach.
Key Takeaways from Meeting Notes:
1. Cybercriminals, believed to be affiliates of the Cl0p ransomware gang and tracked by Microsoft as Lace Tempest, exploited a zero-day vulnerability in on-prem instances of IT service and help desk software SysAid.
2. Microsoft’s Threat Intelligence discovered the exploits and reported them to SysAid on November 2. SysAid promptly developed and released patches for the vulnerability.
3. The attack involved uploading a WAR archive into the webroot of the SysAid Tomcat web service, allowing the attackers to gain control over the system and deploy malware.
4. The deployed malware, GraceWire, is often a precursor to other human-operated attack activity, including ransomware.
5. SysAid advised its customers to upgrade to version 23.3.36, check for indicators of compromise (IoCs), and review any exposed sensitive information.
6. Customers should monitor for unauthorized access attempts, suspicious file uploads, and unusual files within the SysAid webroot directory.
7. Microsoft discovered the zero-day bug after noticing a suspicious process spawned by a Java.exe process.
8. Lace Tempest, as an affiliate of the Cl0p cybercrime group, has demonstrated advanced capabilities in finding and leveraging new bugs effectively.
9. Cl0p has been responsible for major attacks, including the MOVEit attacks and the GoAnywhere breach, both of which involved a pure extortion approach without encryption.
10. The sheer scale of Cl0p’s attacks this year has brought attention to the tactic of pure extortion.