TL;DR – Cleo software CVE-2024-50623 is being actively exploited in-the-wild and fully patched systems running 5.8.0.21 are still exploitable. We strongly recommend you immediately move any affected, internet-exposed Cleo systems behind a firewall until a new patch is released. Afterwards, review your logs for signs of intrusion. Full details here.
Across ~1,700+ Cleo LexiCom, VLTransfer, and Harmony servers we protect, we’ve observed evidence of threat actors exploiting businesses en masse and performing post-exploitation activity. Victim organizations so far have included various consumer product companies, logistics and shipping organizations, and food suppliers. Shodan includes numerous other potential vulnerable servers.
Although Cleo published an update and advisory on October 29, 2024 for CVE-2024-50623—which allows unauthenticated remote code execution—Huntress security researchers have recreated the proof-of-concept and learned the patch does not mitigate the vulnerability.
Based on our analysis and Cleo’s email to customers, all versions up to 5.8.0.2123 are vulnerable:
- Cleo Harmony® (up to version 5.8.0.23)
- Cleo VLTrader® (up to version 5.8.0.23)
- Cleo LexiCom® (up to version 5.8.0.23)
One way to identify signs of compromise is to review the hosts subdirectory in your software installation directory to determine if you have been affected. The presence of a main.xml or a 60282967-dc91-40ef-a34c-38e992509c2c.xml file (a name that looks to be reused across infections) with an embedded PowerShell-encoded command is a definitive indicator of compromise.
Our team is working to reach the Cleo team to report our findings and develop a new patch to fully mitigate exploitation. This post will be frequently updated with threat intel and we’ll quickly get a blog up with additional details.
Update Dec 9, 2024 @ 22:55 ET
Just publish the first set of IOCs on the blog that mainly covers Windows systems. Includes info like:
- Logs following threat actor exploitation with explanations
- How the arbitrary file-write leverages a .ZIP to get execution
main.xmlcontents used for in-the-wild exploitation- The use of encoded PowerShell to retrieve new JAR files (post-exploitation)
- Process tree details to assist PID / PPID hunting
- A video demonstrating our PoC successfully exploiting a fully patched Cleo server
- IoCs, CyberChef recipes, sigma rules and other goodies.
Team Australia now has the baton while the US team sleeps. Expect them to share new research and intel as this situation unfolds.
Update Dec 10, 2024 @ 13:25 ET
We has a solid video-call with the Cleo engineering team last night and validated our exploitation method matched their understanding of the issue. The engineering leader on the call spoke credibly and in-detail about how the vulnerability was being exploited and we emphasized the urgency to patch (which they agreed with).
As for Cleo post-exploitation tradecraft, the behaviors we’ve observed since Dec 3 has remained fairly consistent overnight with a notable exception of threat actors attempting to better clean-up files left on disk. Examples of the include delete commands like:
powershell -Noninteractive -EncodedCommand Start-Sleep 3;del "C:\LexiCom\cleo.1142"
We also want to confirm Linux servers are also exploitable / being compromised and Cleo has published scripts to help locate malicious Host files:
- Cleo’s locate_and_quarantine_hosts.zip (Linux & Unix)
- Cleo’s locate_and_quarantine_hosts.ps1 (Windows)
Although a new patch hasn’t been released (new CVE pending), Cleo has opened 24×7 customer support access to all customers, regardless of support level, to address matters related to the vuln (great call! 👏🎉).
We’ve received a ton of questions on threat actor and victim attribution. We’re trying stay laser-focused on preventive and response action, so we’ll keep this short:
- Yes, we’ve seen major companies like Blue Yonder have many public facing Cleo servers. We don’t have any inside scoop if Termite leveraged this exploit to gain access (we do acknowledge the rise of Termite and fading of cl0p is sus 😉
- Yes, it seems like this mass exploitation is cybercrime motivated but want to caveat that many previous mass incidents started very small and targeted and then broadened into ransomware or coinminers. (Exchange was a great example of this)
⚠️ Lastly, we want to warn that a publicly available exploit feels imminent. Some of the recent updates to Cleo’s knowledge base article nod to the exploitation vector in ways we were not comfortable sharing. Considering the limited time it took our researchers to reverse engineer the patch and weaponize the vulnerability, it’s highly plausible others have as well and broader exploitation is inbound. Stay vigilant 💪
