Dec 10, 2024Ravie LakshmananVulnerability / Threat Analysis

Users of Cleo-managed file transfer software are being urged to ensure that their instances are not exposed to the internet following reports of mass exploitation of a vulnerability affecting fully patched systems.

Cybersecurity company Huntress said it discovered evidence of threat actors exploiting the issue en masse on December 3, 2024. The vulnerability, which impacts Cleo’s LexiCom, VLTransfer, and Harmony software, concerns a case of unauthenticated remote code execution.

The security hole is tracked as CVE-2024-50623, with Cleo noting that the flaw is the result of an unrestricted file upload that could pave the way for the execution of arbitrary code.

The Illinois-based company, which has over 4,200 customers across the world, has since issued another advisory (CVE pending), warning of a separate “unauthenticated malicious hosts vulnerability that could lead to remote code execution.”

The development comes after Huntress said the patches released for CVE-2024-50623 do not completely mitigate the underlying software flaw. The issue impacts the below products and is expected to be patched later this week –

• Cleo Harmony (up to version 5.8.0.23)
• Cleo VLTrader (up to version 5.8.0.23)
• Cleo LexiCom (up to version 5.8.0.23)

In the attacks detected by the cybersecurity company, the vulnerability has been found to be exploited to drop multiple files, including an XML file that’s configured to run an embedded PowerShell command that’s responsible for retrieving a next-stage Java Archive (JAR) file from a remote server.

Specifically, the intrusions leverage the fact files placed in the “autorun” sub-directory within the installation folder and are immediately read, interpreted, and evaluated by the susceptible software.

As many as at least 10 businesses have had their Cleo servers compromised, with a spike in exploitation observed on December 8, 2024, at around 7 a.m. UTC. Evidence gathered so far pins the earliest date of exploration to December 3, 2024.

Victim organizations span consumer product companies, logistics and shipping organizations, and food suppliers. Users are advised to ensure that their software is up-to-date to ensure that they are protected against the threat.

Ransomware groups like Cl0p (aka Lace Tempest) have previously set their sights on various managed file transfer tools in the past, and it looks like the latest attack activity is no different.

According to security researcher Kevin Beaumont (aka GossiTheDog), “Termite ransomware group operators (and maybe other groups) have a zero-day exploit for Cleo LexiCom, VLTransfer, and Harmony.”

Cybersecurity company Rapid7 said it also has confirmed successful exploitation of the Cleo issue against customer environments. It’s worth noting that Termite has claimed responsibility for the recent cyber attack on supply chain firm Blue Yonder.

Broadcom’s Symantec Threat Hunter Team told The Hacker News that “Termite appears to be using a modified version of Babuk ransomware, which, when executed on a machine, encrypts targeted files and adds a .termite extension.”

“Since we saw that Blue Yonder had an instance of Cleo’s software open to the internet via Shodan, and Termite has claimed Blue Yonder amongst its victims, which was also confirmed by their listing and open directory of files, I’d say that Gossi is correct in his statement,” Jamie Levy, Huntress’ Director of Adversary Tactics, told the publication.

“For what it’s worth, there have been some rumblings that Termite might be the new Cl0p, there is some data that seems to support this as Cl0p’s activities have waned while Termite’s activities have increased. They are also operating in some similar fashions. We’re not really in the attribution game, but it wouldn’t be surprising at all if we are seeing a shift in these ransomware gangs at the moment.”

(This is a developing story. Please check back for more updates.)