Lace Tempest exploits SysAid zero-day vulnerability

The threat actor behind the widespread MoveIT Transfer product attacks earlier this year is now exploiting a zero-day vulnerability in SysAid's on-premises software.

In a blog post Wednesday, IT management software provider SysAid disclosed a path traversal zero-day vulnerability, tracked as CVE-2023 47246, was being actively exploited by a dangerous threat actor tracked by Microsoft as DEV-0950 or Lace Tempest. SysAid urged users to upgrade to the fixed version 23.3.36 and to search for any indicators of compromise that would require further remediation.

Microsoft was the first to observe exploitation and reported the zero-day vulnerability to SysAid on November 2. SysAid revealed that Microsoft attributed the malicious activity to Lace Tempest, a threat actor connected to the Clop ransomware group.

That caused concern as Lace Tempest was behind the attacks on Progress Software's MoveIT Transfer customers that affected thousands of organizations, including U.S. government agencies, earlier this year. While those attacks did not include any ransomware deployment and only featured data theft, Clop operators named victim organizations on the gang's leak site and threatened to leak stolen data unless ransoms were paid.

SysAid said the zero-day attacks involved the use of PowerShell to obfuscate the attackers' steps and make incident response investigations more difficult.

"The attacker uploaded a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service," SysAid wrote in the blog.

Using the WebShell, attackers gained unauthorized access and, more alarmingly, control over the affected system. Because it is a path traversal flaw, SysAid warned users to look for unauthorized access attempts or suspicious file uploads within the webroot directory of the Tomcat web service.

"Given the severity of the threat posed, we strongly recommend taking immediate steps according to your incident response playbook and install patches as they become available," the blog read. "Taking proactive steps to secure your SysAid installations is vital in mitigating the risk."

SysAid added that users should review credential information, check logs for suspicious activity and monitor for any unusual WebShell files.

In a separate statement posted to X, formerly known as Twitter, on Wednesday, Microsoft Threat Intelligence confirmed it discovered exploitation activity related to the zero-day vulnerability in SysAid's software. After being notified, Microsoft said SysAid immediately patched the vulnerability.

Along with urging users to patch, Microsoft also warned organizations to search for "any signs of exploitation prior to patching, as Lace Tempest will likely use their access to exfiltrate data and deploy Clop ransomware." Microsoft added that Lace Temptest's exploitation against SysAid was similar to how it exploited the zero-day vulnerability that led to the widespread MoveIT Transfer attacks.

TechTarget Editorial asked SysAid if the vendor had received any reports of ransomware activity so far. The vendor provided a statement but did not address the question.

After becoming aware of a security issue risk in our on-premises software we moved quickly to appoint expert support to help us investigate and address the issue. We immediately began communication with our on-premises customers about the matter, ensuring a workaround solution was implemented as quickly as possible. We have rolled out a product upgrade that includes security enhancements to address the security risk. We are grateful for collaboration from Microsoft's Defender team throughout our response to this issue.

Arielle Waldman is a Boston-based reporter covering enterprise security news.