Users of Cleo-managed file transfer software are being urged to ensure that their instances are not exposed to the internet following reports of mass exploitation of a vulnerability affecting fully patched systems.
Cybersecurity company Huntress said it discovered evidence of threat actors exploiting the issue en masse on December 3, 2024. The vulnerability, which impacts Cleo’s LexiCom, VLTransfer, and Harmony software, concerns a case of unauthenticated remote code execution.
The security hole is tracked as CVE-2024-50623, with Cleo noting that the flaw is the result of an unrestricted file upload that could pave the way for the execution of arbitrary code.
The Illinois-based company, which has over 4,200 customers across the world, has since issued another advisory (CVE pending), warning of a separate “unauthenticated malicious hosts vulnerability that could lead to remote code execution.”
The development comes after Huntress said the patches released for CVE-2024-50623 do not completely mitigate the underlying software flaw. The issues impact the below products –
- Cleo Harmony (up to version 5.8.0.23)
- Cleo VLTrader (up to version 5.8.0.23)
- Cleo LexiCom (up to version 5.8.0.23)
In the attacks detected by the cybersecurity company, the vulnerability has been found to be exploited to drop multiple files, including an XML file that’s configured to run an embedded PowerShell command that’s responsible for retrieving a next-stage Java Archive (JAR) file from a remote server.
Specifically, the intrusions leverage the fact files placed in the “autorun” sub-directory within the installation folder and are immediately read, interpreted, and evaluated by the susceptible software.
As many as at least 10 businesses have had their Cleo servers compromised, with a spike in exploitation observed on December 8, 2024, at around 7 a.m. UTC. Evidence gathered so far pins the earliest date of exploration to December 3, 2024.
Victim organizations span consumer product companies, logistics and shipping organizations, and food suppliers. Users are advised to ensure that their software is up-to-date to ensure that they are protected against the threat.
Ransomware groups like Cl0p (aka Lace Tempest) have previously set their sights on various managed file transfer tools in the past, and it looks like the latest attack activity is no different.
According to security researcher Kevin Beaumont, “Termite ransomware group operators (and maybe other groups) have a zero-day exploit for Cleo LexiCom, VLTransfer, and Harmony.”
Cybersecurity company Rapid7 said it also has confirmed the successful exploitation of the Cleo issue against customer environments.
Broadcom’s Symantec Threat Hunter Team told The Hacker News that “Termite appears to be using a modified version of Babuk ransomware, which, when executed on a machine, encrypts targeted files and adds a .termite extension.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com