Lace Tempest

Threat Actor updated 4 months ago (2024-05-04T16:31:06.174Z)
Download STIX
Preview STIX
Lace Tempest, a threat actor known for executing actions with malicious intent, has been identified as the orchestrator behind a series of cyber attacks exploiting a zero-day vulnerability in SysAid. The exploit was first brought to light by SysAid and further detailed in a blog post on TuxCare. This attack had similarities to previous campaigns orchestrated by Lace Tempest, including those against Accellion FTA in 2020 and GoAnywhere MFT in 2023. Microsoft's threat intelligence team and SysAid’s Advisory confirmed that this zero-day flaw has indeed been exploited by Lace Tempest (DEV-0950 / TA-505). The threat actor used Google ads to lure users into downloading malicious MSIX packages, leading to the delivery of POWERTRASH malware, which subsequently loads NetSupport and Gracewire, both typically associated with Lace Tempest. POWERTRASH is then utilized to load additional malware, indicating a complex and multi-layered attack strategy. These tactics underscore the persistent and evolving nature of cyber threats posed by Lace Tempest. Notably, Lace Tempest's association with Clop ransomware raises significant concerns due to their past involvement in data theft and ransom threats. Microsoft highlighted that Lace Tempest might leverage their access to exfiltrate data and deploy Clop ransomware, drawing parallels with their tactics in the MoveIT Transfer attacks. The gravity of the Lace Tempest cyber attack emphasizes the need for robust cybersecurity measures and vigilance against such advanced threat actors.
Description last updated: 2024-05-04T16:03:01.314Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Clop
6
Clop, also known as Cl0p, is a notorious ransomware group responsible for several high-profile cyberattacks. The group specializes in exploiting vulnerabilities in software and systems to gain unauthorized access, exfiltrate sensitive data, and then extort victims by threatening to release the stole
TA505
3
TA505, also known as Cl0p Ransomware Gang and Lace Tempest, is a highly active and sophisticated cybercriminal group. The group has been associated with various high-profile cyber-attacks, demonstrating adaptability through a multi-vector approach to their operations. In June 2023, the U.S. Cybersec
fin11
3
FIN11, a threat actor group also known as Lace Tempest or TA505, has been linked to the development and deployment of Cl0p ransomware. This malicious software is believed to be a variant of another ransomware, CryptoMix, and is typically used by FIN11 to encrypt files on a victim's network after ste
CVE-2023-34362
2
CVE-2023-34362 is a critical software vulnerability found in Progress Software's managed file transfer (MFT) solution, MOVEit Transfer. This flaw was an SQL injection vulnerability that allowed for escalated privileges and unauthorized access. The vulnerability became active on May 27, 2023, when it
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Moveit
Ransomware
Exploit
Vulnerability
Extortion
Malware
Cobalt Strike
Microsoft
Implant
Beacon
Exploits
Sysaid
Reconnaissance
Malware Loader
Papercut
Payload
Zero Day
Lateral Move...
exploitation
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
Cobalt Strike BeaconUnspecified
3
Cobalt Strike Beacon is a type of malware that has been linked to various ransomware activities. This malicious software has been loaded by HUI Loader in several instances, with different files such as mpc.tmp, dlp.ini, and vmtools.ini being used. A unique feature of this Cobalt Strike Beacon shellc
Raspberry RobinUnspecified
2
Raspberry Robin is a sophisticated piece of malware that uses a variety of tactics to infiltrate and exploit computer systems. It employs the CPUID instruction to conduct several checks, enabling it to assess the system's characteristics and vulnerabilities. Furthermore, Raspberry Robin has been obs
GracewireUnspecified
2
Gracewire is a potent malware that has been deployed by threat actors to exploit and damage computer systems. It is typically delivered through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can steal personal information, disrupt operations,
TruebotUnspecified
2
Truebot is a highly potent malware used by the threat actor group CL0P, which has been linked to various malicious activities aimed at exploiting and damaging computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once embedded,
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
IDTypeVotesProfile Description
CVE-2023-27350Unspecified
2
CVE-2023-27350 is a significant software vulnerability discovered in PaperCut NG/MF, a popular print management software. This flaw in software design or implementation allows attackers to bypass authentication and execute code with system privileges, posing a serious threat to both server and inter
CVE-2023-47246has used
2
CVE-2023-47246 is a critical zero-day vulnerability discovered in the SysAid IT support and management software solution. The flaw, identified as a path traversal vulnerability, has been exploited by Lace Tempest, a ransomware affiliate known for deploying Cl0p ransomware. This vulnerability allows
CVE-2023-27351Unspecified
2
None
Source Document References
Information about the Lace Tempest Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
8 months ago
Microsoft Disables App Installer After Feature is Abused for Malware
CERT-EU
8 months ago
Financially motivated threat actors misusing App Installer | Microsoft Security Blog
CERT-EU
8 months ago
A year in review: 10 of the biggest security incidents of 2023
CERT-EU
10 months ago
“Ransomware Alert: Clop Gang Targets Microsoft with Exploits on SysAid Zero-Day Vulnerability”
CERT-EU
9 months ago
SysAid path traversal vulnerability - Cyber Security Review
CERT-EU
9 months ago
Lace Tempest Exploits SysAid Zero-Day Flaw
CERT-EU
10 months ago
Cyber Security Week In Review: November 17, 2023
CERT-EU
10 months ago
SysAid Zero-Day Vulnerability Exploited by Threat Actors
CERT-EU
10 months ago
SysAid Ransomware: Unveiling the Zero-Day Menace
CERT-EU
10 months ago
Microsoft and SysAid Find Clop Malware Vulnerability
CERT-EU
10 months ago
Cyber Security Today, Nov. 10, 2023 – Patch SysAid software fast, how Ukraine’s power system was crippled by Russia and more | IT World Canada News
CERT-EU
10 months ago
Clop ransomware gang targets SysAid server bug
CERT-EU
10 months ago
SysAid zero-day exploited by Clop ransomware group
CERT-EU
10 months ago
SysAid zero-day exploited by Clop ransomware group
CERT-EU
10 months ago
CVE-2023-47246: SysAid Flaw Used in Clop Ransomware Attacks
InfoSecurity-magazine
10 months ago
MOVEit Gang Targets SysAid Customers With Zero-Day Attacks
DARKReading
10 months ago
MOVEit Hackers Pivot to SysAid Zero-Day in Ransomware Attacks
BankInfoSecurity
10 months ago
MOVEit Hackers Turn to SysAid Zero-Day Bug
CERT-EU
10 months ago
Zero-Day Alert: Lace Tempest Exploits SysAid IT Support Software Vulnerability
Malwarebytes
10 months ago
Update now! SysAid vulnerability is actively being exploited by ransomware affiliate | Malwarebytes