Cleo Patches Critical Zero-Day Exploited in Data Theft Attacks
Summary:
In October, Cleo patched a remote code vulnerability (CVE-2024-50623) in its LexiCom, VLTrader, and Harmony software, which is commonly used to manage file transfers. However on December 3, Huntress identified actors targeting fully patched Cleo software. Upon closer examination, Huntress noticed that the patch released by Cleo for CVE-2024-50623 does not fully mitigate the flaw, allowing actors to bypass it in attacks. Notably, the bypass (no CVE-ID assigned) can be abused to import arbitrary bash or PowerShell commands by exploiting the default Autorun folder settings. Since its discovery, actors have actively exploited the flaw as a zero-day in attacks in the wild, with Huntress noticing in uptick in exploitation activity on December 8, 2024.
To date, Huntress has identified at least 10 companies whose Cleo servers have been compromised in the ongoing attacks, while Sophos has detected indicators of compromise on more than 50 Cleo hosts. Sophos reports that all affected organizations have operations or branches in North America, primarily in the United States. The majority of these companies are in industries such as consumer products, food, trucking, and shipping.
Security Officer Comments:
One of the threat actors behind these attacks is Termite ransomware, which recently claimed responsibility for breaching software-as-a-service provider Blue Yonder, impacting several of its clients, including Starbucks. Termite ransomware alleges to have stolen 680 GB of data from Blue Yonder’s systems, including email lists that could be leveraged for future attacks, as well as over 200,000 files containing sensitive information, such as insurance documents. While Blue Yonder is still investigating the claims, Huntress noted that Blue Yonder had an instance of Cleo’s software open to the internet, which likely served as an initial entry point.
According to Huntress and other security firms like Rapid7, the exploitation of the vulnerability has been followed by the deployment of an encoded Java Archive (JAR) payload, which Huntress has named Malichus. This payload allows attackers to initiate file transfers, execute commands, and facilitate network communication. Researchers have noted that, to date, Malichus has only been observed on Windows systems, despite also being compatible with Linux systems.
Suggested Corrections:
Cleo instances of Harmony, VLTrader, and LexiCom, prior to versions 5.8.0.21, are vulnerable to attacks. On a good note, the company published updated fixes for CVE-2024-50623, with the release of version 5.8.0.24, urging customers to update to the latest version as soon as possible to prevent further exploitation.
In addition to patching, it is crucial to review and restrict internet-facing access to Cleo software instances, ensuring that only necessary services are exposed. Macnica threat researcher Yutaka Sejiyama has identified 743 Cleo servers which are accessible online (379 running Harmony software, 124 VLTrader, and 240) LexiCom). Implementing network segmentation and enforcing multi-factor authentication (MFA) for sensitive systems can help prevent unauthorized access. Additionally, monitoring for suspicious activity, such as the deployment of the Malichus payload or unusual file transfers, is essential for detecting potential exploitation. Finally, organizations should also review their Autorun folder settings to prevent the execution of arbitrary commands and closely monitor for signs of lateral movement or data exfiltration.
Link(s):
https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Update
In October, Cleo patched a remote code vulnerability (CVE-2024-50623) in its LexiCom, VLTrader, and Harmony software, which is commonly used to manage file transfers. However on December 3, Huntress identified actors targeting fully patched Cleo software. Upon closer examination, Huntress noticed that the patch released by Cleo for CVE-2024-50623 does not fully mitigate the flaw, allowing actors to bypass it in attacks. Notably, the bypass (no CVE-ID assigned) can be abused to import arbitrary bash or PowerShell commands by exploiting the default Autorun folder settings. Since its discovery, actors have actively exploited the flaw as a zero-day in attacks in the wild, with Huntress noticing in uptick in exploitation activity on December 8, 2024.
To date, Huntress has identified at least 10 companies whose Cleo servers have been compromised in the ongoing attacks, while Sophos has detected indicators of compromise on more than 50 Cleo hosts. Sophos reports that all affected organizations have operations or branches in North America, primarily in the United States. The majority of these companies are in industries such as consumer products, food, trucking, and shipping.
Security Officer Comments:
One of the threat actors behind these attacks is Termite ransomware, which recently claimed responsibility for breaching software-as-a-service provider Blue Yonder, impacting several of its clients, including Starbucks. Termite ransomware alleges to have stolen 680 GB of data from Blue Yonder’s systems, including email lists that could be leveraged for future attacks, as well as over 200,000 files containing sensitive information, such as insurance documents. While Blue Yonder is still investigating the claims, Huntress noted that Blue Yonder had an instance of Cleo’s software open to the internet, which likely served as an initial entry point.
According to Huntress and other security firms like Rapid7, the exploitation of the vulnerability has been followed by the deployment of an encoded Java Archive (JAR) payload, which Huntress has named Malichus. This payload allows attackers to initiate file transfers, execute commands, and facilitate network communication. Researchers have noted that, to date, Malichus has only been observed on Windows systems, despite also being compatible with Linux systems.
Suggested Corrections:
Cleo instances of Harmony, VLTrader, and LexiCom, prior to versions 5.8.0.21, are vulnerable to attacks. On a good note, the company published updated fixes for CVE-2024-50623, with the release of version 5.8.0.24, urging customers to update to the latest version as soon as possible to prevent further exploitation.
In addition to patching, it is crucial to review and restrict internet-facing access to Cleo software instances, ensuring that only necessary services are exposed. Macnica threat researcher Yutaka Sejiyama has identified 743 Cleo servers which are accessible online (379 running Harmony software, 124 VLTrader, and 240) LexiCom). Implementing network segmentation and enforcing multi-factor authentication (MFA) for sensitive systems can help prevent unauthorized access. Additionally, monitoring for suspicious activity, such as the deployment of the Malichus payload or unusual file transfers, is essential for detecting potential exploitation. Finally, organizations should also review their Autorun folder settings to prevent the execution of arbitrary commands and closely monitor for signs of lateral movement or data exfiltration.
Link(s):
https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Update