Lace Tempest

Threat Actor updated 2 months ago (2024-09-27T12:00:54.382Z)
Download STIX
Preview STIX
Lace Tempest, a threat actor known for executing actions with malicious intent, has been identified as the orchestrator behind a series of cyber attacks exploiting a zero-day vulnerability in SysAid. The exploit was first brought to light by SysAid and further detailed in a blog post on TuxCare. This attack had similarities to previous campaigns orchestrated by Lace Tempest, including those against Accellion FTA in 2020 and GoAnywhere MFT in 2023. Microsoft's threat intelligence team and SysAid’s Advisory confirmed that this zero-day flaw has indeed been exploited by Lace Tempest (DEV-0950 / TA-505). The threat actor used Google ads to lure users into downloading malicious MSIX packages, leading to the delivery of POWERTRASH malware, which subsequently loads NetSupport and Gracewire, both typically associated with Lace Tempest. POWERTRASH is then utilized to load additional malware, indicating a complex and multi-layered attack strategy. These tactics underscore the persistent and evolving nature of cyber threats posed by Lace Tempest. Notably, Lace Tempest's association with Clop ransomware raises significant concerns due to their past involvement in data theft and ransom threats. Microsoft highlighted that Lace Tempest might leverage their access to exfiltrate data and deploy Clop ransomware, drawing parallels with their tactics in the MoveIT Transfer attacks. The gravity of the Lace Tempest cyber attack emphasizes the need for robust cybersecurity measures and vigilance against such advanced threat actors.
Description last updated: 2024-05-04T16:03:01.314Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Clop is a possible alias for Lace Tempest. Clop, a malicious software (malware), is linked to a Russian-speaking cybercriminal group also known as Cl0p. It is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. In May 2023, the Clop group began exploitin
6
TA505 is a possible alias for Lace Tempest. TA505, also known as Cl0p Ransomware Gang and Lace Tempest, is a highly active and sophisticated cybercriminal group. The group has been associated with various high-profile cyber-attacks, demonstrating adaptability through a multi-vector approach to their operations. In June 2023, the U.S. Cybersec
3
fin11 is a possible alias for Lace Tempest. FIN11, a threat actor group also known as Lace Tempest or TA505, has been linked to the development and deployment of Cl0p ransomware. This malicious software is believed to be a variant of another ransomware, CryptoMix, and is typically used by FIN11 to encrypt files on a victim's network after ste
3
CVE-2023-34362 is a possible alias for Lace Tempest. CVE-2023-34362 is a critical software vulnerability found in Progress Software's managed file transfer (MFT) solution, MOVEit Transfer. This flaw was an SQL injection vulnerability that allowed for escalated privileges and unauthorized access. The vulnerability became active on May 27, 2023, when it
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Moveit
Ransomware
Exploit
Vulnerability
Extortion
Malware
Cobalt Strike
Microsoft
Implant
Beacon
Exploits
Sysaid
Reconnaissance
Malware Loader
Papercut
Payload
Zero Day
Lateral Move...
exploitation
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Cobalt Strike Beacon Malware is associated with Lace Tempest. Cobalt Strike Beacon is a type of malware, a harmful software designed to exploit and damage computer systems. It is often loaded by HUI Loader through various files such as mpc.tmp, dlp.ini, vmtools.ini, and an encrypted file vm.cfg. The Insikt Group has identified six distinct Cobalt Strike BeaconUnspecified
3
The Raspberry Robin Malware is associated with Lace Tempest. Raspberry Robin is a sophisticated malware that uses advanced techniques to infiltrate and exploit computer systems. The malicious software is designed to stealthily enter a system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can wreak havoc by stUnspecified
2
The Gracewire Malware is associated with Lace Tempest. Gracewire is a potent malware that has been deployed by threat actors to exploit and damage computer systems. It is typically delivered through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can steal personal information, disrupt operations, Unspecified
2
The Truebot Malware is associated with Lace Tempest. Truebot is a malicious software (malware) utilized by the CL0P actors, designed to exploit and damage computer systems. This malware can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Truebot serves multiple purposes: it can dowUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2023-27350 Vulnerability is associated with Lace Tempest. CVE-2023-27350 represents a significant software vulnerability in PaperCut MF/NG, identified as an improper access control flaw. This weakness allows attackers to bypass authentication processes, providing them with the ability to execute code with system privileges. The vulnerability was first updaUnspecified
2
The CVE-2023-47246 Vulnerability is associated with Lace Tempest. CVE-2023-47246 is a critical zero-day vulnerability discovered in the SysAid IT support and management software solution. The flaw, identified as a path traversal vulnerability, has been exploited by Lace Tempest, a ransomware affiliate known for deploying Cl0p ransomware. This vulnerability allows has used
2
The vulnerability CVE-2023-27351 is associated with Lace Tempest. Unspecified
2
Source Document References
Information about the Lace Tempest Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
DARKReading
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
Malwarebytes
a year ago