Users of Cleo-managed file transfer software are being urged to ensure that their instances are not exposed to the internet following reports of mass exploitation of a vulnerability affecting fully patched systems.
Cybersecurity company Huntress said it discovered evidence of threat actors exploiting the issue en masse on December 3, 2024. The vulnerability, which impacts Cleo’s LexiCom, VLTransfer, and Harmony software, concerns a case of unauthenticated remote code execution.
The security hole is tracked as CVE-2024-50623 (CVSS score: 9.8), with Cleo noting that the flaw is the result of an unrestricted file upload that could pave the way for the execution of arbitrary code.
The Illinois-based company, which has over 4,200 customers across the world, has since issued another advisory (CVE-2024-55956), warning of a separate “unauthenticated malicious hosts vulnerability that could lead to remote code execution.”
The development comes after Huntress said the patches released for CVE-2024-50623 do not completely mitigate the underlying software flaw. The issue impacts the below products and is expected to be patched later this week –
- Cleo Harmony (up to version 5.8.0.23)
- Cleo VLTrader (up to version 5.8.0.23)
- Cleo LexiCom (up to version 5.8.0.23)
In the attacks detected by the cybersecurity company, the vulnerability has been found to be exploited to drop multiple files, including an XML file that’s configured to run an embedded PowerShell command that’s responsible for retrieving a next-stage Java Archive (JAR) file from a remote server.
Specifically, the intrusions leverage the fact files placed in the “autorun” sub-directory within the installation folder are immediately read, interpreted, and evaluated by the susceptible software.
As many as at least 10 businesses have had their Cleo servers compromised, with a spike in exploitation observed on December 8, 2024, at around 7 a.m. UTC. Evidence gathered so far pins the earliest date of exploration to December 3, 2024.
Victim organizations span consumer product companies, logistics and shipping organizations, and food suppliers. Users are advised to ensure that their software is up-to-date to ensure that they are protected against the threat.
Ransomware groups like Cl0p (aka Lace Tempest) have previously set their sights on various managed file transfer tools in the past, and it looks like the latest attack activity is no different.
According to security researcher Kevin Beaumont (aka GossiTheDog), “Termite ransomware group operators (and maybe other groups) have a zero-day exploit for Cleo LexiCom, VLTransfer, and Harmony.”
Cybersecurity company Rapid7 said it also has confirmed successful exploitation of the Cleo issue against customer environments. It’s worth noting that Termite has claimed responsibility for the recent cyber attack on supply chain firm Blue Yonder.
Broadcom’s Symantec Threat Hunter Team told The Hacker News that “Termite appears to be using a modified version of Babuk ransomware, which, when executed on a machine, encrypts targeted files and adds a .termite extension.”
Data shared by attack surface management firm Censys shows that there are 1,342 exposed Cleo Harmony, VLTrader, and LexiCom instances online. Nearly 79% of the public-facing servers are located in the United States, followed by Canada, Mexico, Ireland, and Germany.
“Since we saw that Blue Yonder had an instance of Cleo’s software open to the internet via Shodan, and Termite has claimed Blue Yonder amongst its victims, which was also confirmed by their listing and open directory of files, I’d say that Gossi is correct in his statement,” Jamie Levy, Huntress’ Director of Adversary Tactics, told the publication.
“For what it’s worth, there have been some rumblings that Termite might be the new Cl0p, there is some data that seems to support this as Cl0p’s activities have waned while Termite’s activities have increased. They are also operating in some similar fashions. We’re not really in the attribution game, but it wouldn’t be surprising at all if we are seeing a shift in these ransomware gangs at the moment.”
Cleo Says Patch Under Development#
A Cleo spokesperson shared the following statement with The Hacker News –
“We have identified a critical vulnerability in instances of Cleo Harmony, VLTrader, and LexiCom products. Promptly upon discovering the vulnerability, we launched an investigation with the assistance of outside cybersecurity experts, notified customers of this issue and provided mitigation steps customers should immediately take to address the vulnerability while a patch is under development. Our investigation is ongoing. Customers are encouraged to check Cleo’s security bulletin webpage regularly for updates. Cleo remains focused on supporting its customers and has extended enhanced 24/7 customer support services to those needing additional technical assistance in addressing this vulnerability.”
Cleo Releases Patches#
Cleo on Wednesday released fixes to address a vulnerability that Harmony, VLTrader, and LexiCom that could allow an unauthenticated user to import and execute arbitrary bash or PowerShell commands on the host system by leveraging the default settings of the “autorun” directory.
The fixes are available in the below versions –
- Cleo Harmony version 5.8.0.24
- Cleo VLTrader version 5.8.0.24
- Cleo LexiCom version 5.8.0.24
Coinciding with the release of the patches, security researchers from watchTowr Labs have made available a proof-of-concept (PoC) exploit for CVE-2024-50623 that can be used to achieve arbitrary file read/write on vulnerable versions of Cleo software.
A spokesperson for Cleo shared the below statement with The Hacker News –
On December 11, 2024, Cleo released a new security patch to address the previously disclosed critical vulnerability in instances of Cleo Harmony, VLTrader, and LexiCom products. Cleo strongly recommends customers apply the available patch immediately.
Promptly upon discovering the vulnerability, Cleo launched an investigation with the assistance of outside cybersecurity experts, notified customers of the issue and provided instructions on immediate actions customers should take to address the vulnerability. Cleo continues to work proactively to support customers and has extended enhanced 24/7 customer support services to those needing additional technical assistance in addressing this vulnerability.
Cleo’s investigation is ongoing. Customers are encouraged to check Cleo’s security bulletin webpage regularly for updates.
Attacks Lead to Malichus Malware#
Arctic Wolf, Binary Defense, Huntress, and Rapid7 have all released independent analyses of the malware – codenamed Cleopatra and Malichus – dropped following the exploitation of security flaws in unpatched Cleo instances. The exploitation campaign is said to have begun in earnest around December 7, 2024.
“The analysis of this multi-stage payload reveals a highly modular framework designed to operate stealthily and flexibly within a target environment,” Binary Defense noted in its technical write-up.
“The staged deployment methodology, starting from an initial PowerShell script and culminating in the execution of a dynamic Java-based command-and-control framework, demonstrates the attackers’ intent to evade detection and maintain persistence.”
Huntress said the first-stage involves dropping a PowerShell downloader that’s designed to retrieve and execute a JAR downloader, which, then proceeds to drop a modular post-exploitation framework that allows the operators to gather and exfiltrate files, perform reconnaissance, and perform read and write operations on the filesystem.
“This RAT facilitated system reconnaissance, file exfiltration, command execution, and encrypted communication with the attacker’s command-and-control (C2) server,” Rapid7 said. “Its modular architecture includes components for dynamic decryption, network management, and staged data transfer.”
CISA Adds Cleo Flaws to KEV Catalog#
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added CVE-2024-50623 to the Known Exploited Vulnerabilities (KEV) catalog, confirming that it is being actively exploited in ransomware campaigns. Federal agencies are recommended to apply the patches by January 3, 2025.
As of December 17, 2024, the second Cleo flaw tracked as CVE-2024-55956 (CVSS score: 9.8) has also been added to the KEV catalog due to it being abused in ransomware attacks. Federal agencies have time till January 7, 2025, to update to the latest version of the software.
Intel 471 told The Hacker News that “the Cl0p group’s recent claim of compromising organizations through the newly disclosed Cleo vulnerabilities is likely credible, given the striking parallels with their previous exploitation of MOVEit Transfer, GoAnywhere MFT and Accellion FTA vulnerabilities.”
Noting that this is the first real activity observed from the ransomware gang since the MOVEit Transfer mass hack last year, the Cybersecurity firm said “it is plausible that CLOP had prior knowledge of several vulnerabilities in the Cleo platform, enabling the group to breach and extract data from victim organizations systematically long before the vendor issued any public security advisory.”
That said, while the tactics do appear to line up with Cl0p’s modus operandi, there is no definitive evidence as yet to conclusively link the attacks to the group given the absence of any new victims listed on its data leak site.
What’s more, It has since emerged that both the flaws that are currently being exploited are entirely different from one another and that CVE-2024-55956 is not the result of an incomplete fix for CVE-2024-50623.
“The new Cleo vulnerability (CVE-2024-55956), is an unauthenticated file write vulnerability,” Stephen Fewer, principal security researcher at Rapid7, told the publication. “It is not a patch bypass of the older vulnerability (CVE-2024-50623), as the root cause is different – CVE-2024-50623 is an unauthenticated file read and write vulnerability.”
“The two vulnerabilities are not chained together to achieve RCE. CVE-2024-55956 can be exploited by itself to achieve unauthenticated RCE. CVE-2024-55956 does occur in a similar part of the product code base as the CVE-2024-50623 and is reachable via the same endpoint in the target. However, the exploitation strategy differs greatly between the two vulnerabilities.”
