November 9, 2023 at 12:16PM
Lace Tempest, the threat actor behind the Cl0p ransomware, has exploited a zero-day flaw in SysAid IT support software. The flaw, tracked as CVE-2023-47246, allows code execution and has been patched by SysAid. Lace Tempest uses the vulnerability to deliver the Gracewire malware, engage in data theft, and deploy ransomware. Organizations using SysAid should apply the patches promptly and check for signs of exploitation. The FBI has also warned of ransomware attackers targeting third-party vendors and using legitimate system tools to compromise businesses.
Key Takeaways from Meeting Notes:
1. Lace Tempest, a threat actor known for distributing the Cl0p ransomware, has exploited a zero-day flaw in the SysAid IT support software in limited attacks.
2. The vulnerability, tracked as CVE-2023-47246, is a path traversal flaw that has been patched in version 23.3.36 of the software.
3. After exploiting the vulnerability, Lace Tempest uses the SysAid software to deliver a malware loader for the Gracewire malware, followed by human-operated activity such as lateral movement, data theft, and ransomware deployment.
4. The attackers upload a WAR archive containing a web shell and other payloads into the webroot of the SysAid Tomcat web service to gain backdoor access to the compromised host and execute malicious scripts.
5. The attack chains also involve the use of the MeshCentral Agent and PowerShell to download and run Cobalt Strike, a legitimate post-exploitation framework.
6. Organizations using SysAid are advised to apply the patches promptly and scan their environments for signs of exploitation.
7. The FBI has warned about ransomware attackers targeting third-party vendors and using legitimate system tools to compromise businesses.
8. The Silent Ransom Group (SRG), also known as Luna Moth, has conducted callback phishing data theft and extortion attacks by tricking victims into installing legitimate system management tools.
9. Once installed, the attackers repurpose the management tools for their malicious activities, compromising local files, network shared drives, and extorting the targeted companies.
These are the main highlights from the meeting notes regarding the vulnerability and the ransomware attacks.