Zero-Day Alert: Lace Tempest Exploits SysAid IT Support Software Vulnerability
The threat actor known as Lace Tempest has been linked to the exploitation of a zero-day flaw in SysAid IT support software in limited attacks, according to new findings from Microsoft. Lace Tempest, which is known for distributing the Cl0p ransomware, has in the past leveraged zero-day flaws in MOVEit Transfer and PaperCut servers.
The issue, tracked as CVE-2023-47246, concerns a path traversal flaw that could result in code execution within on-premise installations. It has been patched by SysAid in version 23.3.36 of the software.
After exploiting the vulnerability, Lace Tempest issued commands via the SysAid software to deliver a malware loader for the Gracewire malware.
Organizations that use SysAid are highly recommended to apply the patches as soon as possible to thwart potential ransomware attacks as well as scan their environments for signs of exploitation prior to patching.
Analysis from our SOC team
Organizations that use SysAid are highly recommended to apply the patches as soon as possible. The vulnerability is currently exploited and could lead to compromise/ransomwares deployment in the infrastructure.
If you need help, do not hesitate to contact our SOC team.
Other news
CVE-2023-46604 poses a grave threat to Apache ActiveMQ, with successful exploitation leading to Remote Code Execution (RCE). The vulnerability’s HIGH Impact on Integrity and Availability, coupled with a low attack complexity and no user interaction requirement, intensifies the urgency. Ransomware operators are actively exploiting this vulnerability in the wild, supported by a publicly available Proof of Concept (PoC) on GitHub.
It’s worth noting that the vulnerability carries a CVSS score of 10.0, indicating maximum severity. The vulnerability affects the following versions –
Affected software:
- Apache ActiveMQ 5.18.0 before 5.18.3
- Apache ActiveMQ 5.17.0 before 5.17.6
- Apache ActiveMQ 5.16.0 before 5.16.7
- Apache ActiveMQ before 5.15.16
- Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
- Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
- Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
- Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16
In light of the active exploitation of the flaw, users are recommended to update to the fixed version of ActiveMQ as soon as possible and scan their networks for indicators of compromise.
Analysis from our SOC team
This vulnerability (for which a patch exists since a month already) allows attackers to obtain RCE through the Apache ActiveMQ application. The vulnerability has been actively exploited by different threat actors into the wild. That’s why it is of critical importance to patch it as soon as possible.
If you believe you might have been a victim of this exploitation, contact our SOC to ensure a proper handling of the incident.
The vulnerability (CVE-2023-38547) allows an unauthenticated user to gain information about the SQL server connection that Veeam ONE uses to access its configuration database. This could potentially lead to remote code execution on the SQL server hosting the Veeam ONE configuration database.
The vulnerability (CVE-2023-38548) allows an unprivileged user who has access to the Veeam ONE Web Client to acquire the NTLM hash of the account used by the Veeam ONE Reporting Service. This could potentially lead to unauthorized access to the service.
While CVE-2023-38547, CVE-2023-38548, and CVE-2023-41723 impact Veeam ONE versions 11, 11a, 12, CVE-2023-38548 affects only Veeam ONE 12. Fixes for the issues are available in the below versions –
- Veeam ONE 11 (11.0.0.1379)
- Veeam ONE 11a (11.0.1.1880)
- Veeam ONE 12 P20230314 (12.0.1.2591)
Over the past few months, critical flaws in the Veeam backup software have been exploited by multiple threat actors, including FIN7 and BlackCat ransomware, to distribute malware.
Analysis from our SOC team
We recommend organisations running the affected versions to apply the hotfixes provided by the vendor as soon as possible.
The maintainer Forum of Incident Response and Security Teams (FIRST) officially published the latest version of the Common Vulnerability Scoring System (CVSS version 4.0). The new version’s should enable organizations to better assess and manage the risk that a security bug might pose to their specific environments. However, how helpful it really is will depend on their willingness and ability to use all the new metrics in CVSS 4.0 to build the context needed for smarter vulnerability prioritization.
Analysis from our SOC team
The number of vulnerabilities grows days after days. To help companies cope with those, FIRST established a new version of the CVSS score allowing organization to provide specific information about their environment to better assess and manage the risk linked to a vulnerability.
If you require assistance with your vulnerability management, do not hesitate to contact our SOC.
Since a few days, all kinds of fraudulent messages have been circulating about so-called job offers for companies that are quickly looking for new employees. The salary offered is always very attractive. The conditions are quite simple and seem to be open to everyone. So be extra vigilant. If it is too good to be true, it often is.
Analysis from our SOC team
Suspicious messages can be forwarded to any of the three email addresses from Safeonweb:
– verdacht@safeonweb.be
– suspect@safeonweb.be
– suspicious@safeonweb.be
Our SOC is also available to assist in case there are any doubts or suspicions about text or mail messages.
