Attackers Actively Exploiting Flaw(s) in Cleo File Transfer Software
Summary:
Huntress researchers have reported active exploitation of a vulnerability (CVE-2024-50623) in Cleo’s file transfer software—Harmony, VLTrader, and LexiCom. This vulnerability, which allows unrestricted file upload and download, was initially patched in October 2024 (v5.8.0.21). However, the patch does not fully mitigate the issue, enabling attackers to install backdoor code using malicious Freemarker templates containing server-side JavaScript. The exploitation was observed as early as December 3, with a notable spike in activity on December 8.
In addition, Cleo disclosed a separate autorun exploit vulnerability affecting all software versions. This flaw allows unauthenticated users to execute arbitrary bash or PowerShell commands by leveraging the default settings of the Autorun directory. Attackers have used this vulnerability to deploy malicious files, enabling reverse shell connections from suspicious IP addresses. The IP addresses linked to these attacks overlap with those identified by Huntress.
Security Officer Comments:
The attackers have been observed deleting files post-use to evade detection and enumerating potential Active Directory assets using the Windows command-line tool Nltest. While no evidence of data exfiltration has been confirmed, the history of cyber extortion groups targeting enterprise file transfer tools underscores the potential severity of these exploits. Further updates from Huntress and Cleo are anticipated as the situation develops.
Suggested Corrections:
Huntress researchers have advised organizations to move any internet-exposed Cleo systems behind a firewall until a new patch is released. They also counseled disabling the Autorun feature if it’s not used.
Cleo has provided scripts customers can use to automatically disable Autorun if they can’t do it via the user interface.
For those that use Autorun in day-to-day operations, the company advises:
According to Huntress, a new patch for CVE-2024-50623 is in the works and is safe to assume Cleo is also working on a patch for the autorun exploit vulnerability.
Link(s):
https://www.helpnetsecurity.com/202...-transfer-software-vulnerabilities-exploited/
Huntress researchers have reported active exploitation of a vulnerability (CVE-2024-50623) in Cleo’s file transfer software—Harmony, VLTrader, and LexiCom. This vulnerability, which allows unrestricted file upload and download, was initially patched in October 2024 (v5.8.0.21). However, the patch does not fully mitigate the issue, enabling attackers to install backdoor code using malicious Freemarker templates containing server-side JavaScript. The exploitation was observed as early as December 3, with a notable spike in activity on December 8.
In addition, Cleo disclosed a separate autorun exploit vulnerability affecting all software versions. This flaw allows unauthenticated users to execute arbitrary bash or PowerShell commands by leveraging the default settings of the Autorun directory. Attackers have used this vulnerability to deploy malicious files, enabling reverse shell connections from suspicious IP addresses. The IP addresses linked to these attacks overlap with those identified by Huntress.
Security Officer Comments:
The attackers have been observed deleting files post-use to evade detection and enumerating potential Active Directory assets using the Windows command-line tool Nltest. While no evidence of data exfiltration has been confirmed, the history of cyber extortion groups targeting enterprise file transfer tools underscores the potential severity of these exploits. Further updates from Huntress and Cleo are anticipated as the situation develops.
Suggested Corrections:
Huntress researchers have advised organizations to move any internet-exposed Cleo systems behind a firewall until a new patch is released. They also counseled disabling the Autorun feature if it’s not used.
Cleo has provided scripts customers can use to automatically disable Autorun if they can’t do it via the user interface.
For those that use Autorun in day-to-day operations, the company advises:
- Changing the default Autorun directory to a custom name
- Searching for malicious files on the hosts and removing them (either manually or via provided scripts that locate and quarantine any malicious hosts)
- Blocking attack IP addresses at the network/firewall level
According to Huntress, a new patch for CVE-2024-50623 is in the works and is safe to assume Cleo is also working on a patch for the autorun exploit vulnerability.
Link(s):
https://www.helpnetsecurity.com/202...-transfer-software-vulnerabilities-exploited/