Medium
A new vulnerability (CVE-2023-47246) in SysAid on-prem software was discovered by researchers. The exploit, carried out by a group called DEV-0950 (Lace Tempest), involved uploading a malicious archive into the webroot, leading to unauthorized access. The attacker then used a WebShell to control the system, deploying a PowerShell script to execute a malware loader (user.exe), loading the GraceWire trojan into specific processes. To cover their tracks, a second PowerShell script was used to erase evidence from the disk and SysAid on-prem server logs. The Trellix Threat Intelligence Group (TIG) gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports. This campaign was researched by SysAid and shared publicly https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
Detection rate is the number of artifact detections reported by McAfee global sensors for this threat over 8 days.
The detection rate bubbles are sized based on the values below: