Lace Tempest exploits the SysAid IT Support Software Vulnerability

Nov 09, 2023NewsroomVulnerability / Zero Day

The SysAid IT Support Software Vulnerability

The threat actor known as Lace Tempest is involved in exploiting a zero-day flaw in the SysAid IT support software in limited attacks, according to new findings from Microsoft.

Lace Tempest, known for distributing the Cl0p ransomware, has previously used zero-day flaws in the MOVEit Transfer and PaperCut servers.

The issue, tracked as CVE-2023-47246. SysAid patched this in version 23.3.36 of the software.

“After exploiting the vulnerability, Lace Tempest issued commands through SysAid software to deliver a malware loader for the Gracewire malware,” Microsoft SAYS.


“This is often followed by human-driven activity, including late-breaking, data theft, and ransomware deployment.”

According to SysAid, the threat actor is observed upload a WAR archive containing the web shell and other payloads to the webroot of the SysAid Tomcat web service.

The web shell, besides giving the threat actor backdoor access to the compromised host, is used to deliver a PowerShell script designed to execute a loader that, in turn, loads Gracewire.

Also deployed by the attackers was a second PowerShell script used to delete evidence of the exploit after the malicious payloads were deployed.

Additionally, attack chains are characterized by the use of MeshCentral Agent as well as PowerShell to download and run Cobalt Strike, a legitimate post-exploitation framework.

Organizations using SysAid are highly recommended to apply patches as soon as possible to prevent potential ransomware attacks as well as scan their environments for signs of exploits. patching is not available yet.


The development comes as the US Federal Bureau of Investigation (FBI) warns that ransomware attackers are targeting third-party vendors and legitimate system tools to compromise businesses.

“In June 2023, the Silent Ransom Group (SRG), also called Luna Moth, conducted callback phishing data theft and extortion attacks by sending victims a phone number in a phishing attempt, usually related to pending cases on the victims’ account,” FBI SAYS.

If a victim falls for the trick and calls the provided phone number, the malicious actors instruct them to install a legitimate system management tool via a link provided in a follow-up email.”

The attackers then used the management tool to install other genuine software that could be reused for malicious activity, the agency said, adding actors compromised local files and shared network drives, exfiltrate victim data, and extort companies.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment