BREAKING DOWN THE LACE TEMPEST EXPLOIT: HOW CYBERCRIMINALS BREACHED ON-PREM SYSAID HOSTS WITH A NEW ZERO-DAY

The cybercriminal group known as MOVEit has been actively exploiting a newly discovered security flaw in SysAid, a software used by companies for IT support and help desk tasks. SysAid is usually run on a company's own servers (on-premises). The criminal group, which is believed to be connected to the well-known Cl0p ransomware gang and identified by Microsoft as Lace Tempest, has been able to run harmful PowerShell scripts and set up malware through this weakness.

The issue was found by Microsoft's security team, who observed limited attacks on SysAid customers, and they informed SysAid about this on November 2. SysAid responded quickly by creating and distributing fixes for the problem.

Lace Tempest took advantage of a vulnerability in SysAid to run code that shouldn't be allowed. They did this by uploading a special file (WAR archive) that let them take control of the affected system. After gaining control, they used one script to prepare the system for further attacks by installing a type of malware called GraceWire, and another script to erase any signs of their intrusion.

Microsoft has noted that installing GraceWire can often lead to more serious attacks, such as ransomware. SysAid has urgently recommended that their customers apply the provided patches and follow their incident response procedures to protect against this threat.

SysAid's patch for this security gap is in the version 23.3.36 of their software. They've advised users to check for signs that the attack might have happened (indicators of compromise), and to check for any sensitive information, like passwords, that might have been accessed.

Customers should also be on the lookout for any suspicious files or activity, particularly unusual file uploads in certain directories of SysAid’s system, and check their security systems, like proxies or firewalls, for any signs of the exploit being used.

A Microsoft security expert found this flaw by noticing a strange behavior in a Java process, which led to the discovery of the zero-day vulnerability. SysAid has told customers to monitor processes on their systems closely, especially looking out for unusual activities that could indicate a web shell has been executed.

This level of skill in finding and using new vulnerabilities is uncommon for groups associated with ransomware services and shows a level of expertise similar to state-sponsored hacking groups.

Lace Tempest is linked to the Cl0p cybercrime group, which has been responsible for several significant cyberattacks this year, including the MOVEit attacks that started in June, affecting over 2,500 organizations, and a breach in the GoAnywhere service in February, impacting around 130 organizations in just over a week.

Interestingly, Cl0p has recently changed its usual approach. Instead of encrypting victims' data and demanding a ransom to decrypt it, they have simply been stealing sensitive data and demanding a ransom not to release it, leaving the data unencrypted. This change in tactics has been noted by security experts and represents a shift in the cybercrime landscape.