Lace Tempest Exploits SysAid Zero-Day Flaw
In a recent revelation, SysAid, a leading IT management software provider, has unveiled a critical security threat affecting its on-premises software. The threat actor, identified as DEV-0950 or Lace Tempest by Microsoft, previously linked to the notorious Clop ransomware group, is now exploiting a zero-day vulnerability labeled CVE-2023-47246. This vulnerability, if left unaddressed, can pave the way for unauthorized access and control over systems, posing a substantial risk to organizations. In this blog post, we’ll uncover the SysAid Zero-Day flaw and will shed light on possible mitigation measures.
The Emergence of Lace Tempest Cyber Threat
SysAid, in a blog post, disclosed the active exploitation of a path traversal zero-day vulnerability by Lace Tempest. This revelation follows Microsoft’s early detection of the exploitation, prompting immediate action from SysAid. The gravity of the Lace Tempest cybersecurity
had earlier orchestrated widespread attacks on MoveIT Transfer product users, affecting numerous organizations, including U.S. government agencies.
Cybersecurity News Lace Tempest
On November 2, Microsoft detected the exploitation of the SysAid vulnerability and promptly reported it to SysAid. The threat actor, Lace Tempest, was swiftly identified as the orchestrator behind the malicious activity. The association with Clop ransomware raised concerns, considering Lace Tempest’s involvement in previous attacks that involved data theft and ransom threats.
SysAid Zero-Day Flaw Mechanism
SysAid shed light on the intricacies of the zero-day exploit in SysAid orchestrated by Lace Tempest. The threat actor employed PowerShell to obfuscate their actions, making it challenging for incident response teams to investigate effectively. The modus operandi involved uploading a WebShell-containing WAR archive into the webroot of the SysAid Tomcat web service. This, in turn, granted unauthorized access and control over the compromised system.
SysAid’s Urgent Advisory
The SysAid security update revealed the urgency to take immediate action by upgrading to the fixed version 23.3.36. The company emphasized the need for users to proactively search for indicators of compromise…