SysAid Zero-Day Exploits: A Growing Threat in Ransomware Attacks
The threat actor Lace Tempest has been exploiting a zero-day vulnerability in the SysAid IT support software to distribute the Cl0p ransomware. The vulnerability, tracked as CVE-2023-47246, allows for code execution within on-premise installations and has been patched by SysAid. After exploiting the flaw, Lace Tempest deploys a malware loader for the Gracewire malware, followed by human-operated activities such as lateral movement, data theft, and ransomware deployment. The attack involves uploading a web shell and other payloads into the SysAid Tomcat web service, as well as the use of the MeshCentral Agent and PowerShell to download and run Cobalt Strike. Organizations using SysAid are advised to apply the patches promptly and scan for signs of exploitation. The FBI has also warned about ransomware attackers targeting third-party vendors and legitimate system tools to compromise businesses.
- Zero-Day Alert: Lace Tempest Exploits SysAid IT Support Software Vulnerability The Hacker News
- Microsoft: SysAid zero-day flaw exploited in Clop ransomware attacks BleepingComputer
- MOVEit Hackers Pivot to SysAid Zero-Day in Ransomware Attacks DARKReading
- Ransomware gang behind MOEVit attacks are targeting new zero-day, Microsoft says The Record from Recorded Future News
- MOVEit hackers leverage new zero-day bug to breach organizations (CVE-2023-47246) Help Net Security
Reading Insights
0
0
1 min
vs 3 min read
69%
428 → 134 words
Want the full story? Read the original article
Read on The Hacker News