The threat actor known as Lace Tempest has been linked to the exploitation of a zero-day flaw in SysAid IT support software in limited attacks, according to new findings from Microsoft.
据微软最新发现,被称为Lace Tempest的威胁行为者已被追踪与在有限攻击中利用SysAid IT支持软件中的零日漏洞有关。
Lace Tempest, which is known for distributing the Cl0p ransomware, has in the past leveraged zero-day flaws in MOVEit Transfer and PaperCut servers.
Lace Tempest以分发Cl0p勒索软件而闻名,过去曾利用MOVEit Transfer和PaperCut servers的零日漏洞。
The issue, tracked as CVE-2023-47246, concerns a path traversal flaw that could result in code execution within on-premise installations. It has been patched by SysAid in version 23.3.36 of the software.
该问题被跟踪为CVE-2023-47246,涉及一种路径遍历漏洞,可能导致在本地安装中执行代码。SysAid在软件版本23.3.36中已修复该漏洞。
"After exploiting the vulnerability, Lace Tempest issued commands via the SysAid software to deliver a malware loader for the Gracewire malware," Microsoft said.
“在利用漏洞后,Lace Tempest通过SysAid软件发布命令,以传递Gracewire恶意软件的恶意加载器。”微软说。
"This is typically followed by human-operated activity, including lateral movement, data theft, and ransomware deployment."
“通常会随之进行人工操作,包括横向移动、数据窃取和勒索软件部署。”
According to SysAid, the threat actor has been observed uploading a WAR archive containing a web shell and other payloads into the webroot of the SysAid Tomcat web service.
据SysAid称,威胁行为者已被观察到上传包含Web shell和其他有效载荷的WAR存档到SysAid Tomcat Web服务的Webroot中。
The web shell, besides providing the threat actor with backdoor access to the compromised host, is used to deliver a PowerShell script that's designed to execute a loader that, in turn, loads Gracewire.
除了为威胁行为者提供对被Compromised主机的后门访问外,Web shell还用于传递设计用于执行加载器的PowerShell脚本,该脚本又加载Gracewire。
Also deployed by the attackers is a second PowerShell script that's used to erase evidence of the exploitation after the malicious payloads had been deployed.
攻击者还部署了第二个PowerShell脚本,用于在恶意有效载荷部署后擦除利用的证据。
Furthermore, the attack chains are characterized by the use of the MeshCentral Agent as well as PowerShell to download and run Cobalt Strike, a legitimate post-exploitation framework.
此外,攻击链的特点是使用MeshCentral Agent以及PowerShell下载和运行Cobalt Strike,这是一个合法的后期利用框架。
Organizations that use SysAid are highly recommended to apply the patches as soon as possible to thwart potential ransomware attacks as well as scan their environments for signs of exploitation prior to patching.
强烈建议使用SysAid的组织尽快应用补丁,以防范潜在的勒索软件攻击,并在修补之前扫描其环境以寻找利用的迹象。
The development comes as the U.S. Federal Bureau of Investigation (FBI) warned that ransomware attackers are targeting third-party vendors and legitimate system tools to compromise businesses.
此事发生之际,美国联邦调查局(FBI)警告称,勒索软件攻击者正在利用第三方供应商和合法系统工具来破坏企业。
"As of June 2023, the Silent Ransom Group (SRG), also called Luna Moth, conducted callback phishing data theft and extortion attacks by sending victims a phone number in a phishing attempt, usually relating to pending charges on the victims' account," FBI said.
“截至2023年6月,沉默勒索集团(SRG),又称Luna Moth,通过发送受害者的账户即将到期的费用等钓鱼企图的电话号码,进行回呼钓鱼数据窃取和勒索攻击。”FBI说。
Should a victim fall for the ruse and call the provided phone number, the malicious actors directed them to install a legitimate system management tool via a link provided in a follow-up email."
如果受害者上当受骗并拨打提供的电话号码,恶意行为者会指导他们通过后续电子邮件中提供的链接安装合法的系统管理工具。
The attackers then used the management tool to install other authentic software that can be repurposed for malicious activity, the agency noted, adding the actors compromised local files and network shared drives, exfiltrated victim data, and extorted the companies.
然后,攻击者使用管理工具安装其他可用于恶意活动的真实软件,该机构指出,这些演员破坏了本地文件和网络共享驱动器,窃取了受害者的数据,并敲诈了公司。
推荐站内搜索:最好用的开发软件、免费开源系统、渗透测试工具云盘下载、最新渗透测试资料、最新黑客工具下载……
还没有评论,来说两句吧...