MOVEit cybercriminals unearth fresh zero-day to exploit on-prem SysAid hosts
Second novel zero-day exploited by Lace Tempest this year offers notable demonstration of skill, especially for a ransomware affiliate
The cybercriminals behind the stream of MOVEit attacks from earlier this year are making use of a zero-day vulnerability in on-prem instances of IT service and help desk software-slinger SysAid.
Believed to be an affiliate of the Cl0p ransomware gang and tracked by Microsoft as Lace Tempest, the crew were able to execute PowerShell scripts and deploy malware by unearthing and abusing a novel zero-day in the IT service desk software.
Microsoft's Threat Intelligence discovered the exploits, which only affected a "limited" number of SysAid customers, and reported them to the company on November 2. The IT services biz then developed and released patches "immediately."
According to SysAid's writeup of the incident, Lace Tempest exploited a new path traversal vulnerability (CVE-2023-47246) to achieve code execution within on-prem versions of SysAid.
They uploaded a WAR archive into the webroot of the SysAid Tomcat web service, which contained a web shell that gave attackers control over the system. From there, Lace Tempest ran one PowerShell script to install a loader that later deployed GraceWire malware, and then another to remove traces of malicious activity.
Microsoft said the deployment of GraceWire is often a precursor to other human-operated attack activity, including ransomware.
"Given the severity of the threat posed, we strongly recommend taking immediate steps according to your incident response playbook and install any patches as they become available," read SysAid's advisory. "Taking proactive steps to secure your SysAid installations is vital in mitigating the risk."
SysAid released patches for the issue promptly, and users were advised to upgrade to version 23.3.36, assess whether any of the indicators of compromise (IoCs) are present, and review any sensitive information that may have been exposed to attackers, such as credentials.
"Look for unauthorized access attempts or suspicious file uploads within the webroot directory of the SysAid Tomcat web service," said SysAid.
Customers thought to be vulnerable should also monitor for any unwelcome web shells in the Tomcat service too.
"Look for unusual files within the SysAid webroot directory, especially any WAR files, ZIP files, or JSP files that contain file timestamps that differ from the rest of the SysAid installation files. If SysAid is behind a proxy or a WAF, check the access logs from these services for suspicious POST requests to the server for signs of exploitation."
Joe Hannon, security researcher at Microsoft Threat Intelligence, said the zero-day bug was discovered by Microsoft after the team noticed a Java.exe process spawning a suspicious process.
SysAid advised customers to "pay close attention" to child processes spawned by Wrapper.exe. They noticed that successful web shell execution can be identified under this tree, and special care should be taken to identify ping.exe processes running under cmd.exe.
Security researcher Will Thomas highlighted the significance of the finding and the group behind it. It's rare to see affiliates of ransomware-as-a-service operations demonstrating capabilities like Lace Tempest's.
"Their ability to consistently find new bugs and leverage them effectively is on par with an APT group at this stage," he said.
Lace Tempest is an affiliate of the Cl0p cybercrime group, which itself has laid claim to a number of major attacks this year.
In addition to the MOVEit attacks which started in June and have to date affected more than 2,500 organizations, it was also responsible for the GoAnywhere breach in February which impacted around 130 organizations in just 10 days.
- US government to investigate China's Microsoft email breach
- Can 'Mad Libs for incident response' prevent the next MOVEit fiasco?
- After six days and thousands of pwned users, Cisco poised to patch IOS XE flaw
- MOVEit body count closes in on 400 orgs, 20M+ individuals
Cl0p is known for traditionally being a ransomware operation that operates using the double extortion model – so called because the criminals extract the info for blackmail purposes as well as hammering ops by encyrpting it – but in a curious turn in both the GoAnywhere and MOVEit cases, it skipped over the encryption phase entirely.
Instead, it opted for a pure extortion approach – making the initial intrusion, stealing sensitive data, and then holding it to ransom, leaving systems unencrypted.
It was an uncharacteristic move for the group but it wasn't a novel one, with the method being adopted by various others throughout 2022. However, the scale of Cl0p's attacks this year moved the spotlight on the tactic to an even greater extent. ®