Critical Cleo File-Transfer Flaw Under Active Exploitation; Cl0p Claims Responsibility
A critical flaw in Cleo file-transfer software is being actively exploited by threat actors. The vulnerability is believed to be a previously patched flaw, CVE-2024-50623, which allows unrestricted file uploads and downloads, including dangerous file types. Successful exploitation of the vulnerability can lead to remote code execution.
The vulnerability affects the following Celo products:
- Cleo Harmony before 5.8.0.21
- Cleo VLTrader before 5.8.0.21
- Cleo LexiCom before 5.8.0.21
Cleo issued a patch to fix the vulnerability in October; however, the patch does not provide full protection against exploitation. Researchers at Huntress have observed mass exploitation and post-exploitation activity in patched and unpatched versions of the affected products since December 3, 2024. An analysis of the attacks allowed Huntress to develop a proof-of-concept exploit for the flaw, and while they believe threat actor activity uses the same method to exploit the flaw, they do not have full details of the vulnerability so they could not confirm whether that was the case. It is possible that threat actors are using a different attack vector. Researchers at Rapid7 confirmed they had seen successful exploitation of the flaw in customer environments.
According to Huntress, companies compromised via this vulnerability have mostly been in the consumer products, food, shipping, and trucking sectors. After sharing their findings with Cleo, Huntress said it would issue a new CVE and expects to issue a patch to fix the issue this week. On December 10, 2024, Cleo alerted customers that a critical vulnerability existed that allowed unauthenticated attackers to import and execute arbitrary bash and PowerShell commands by leveraging the default settings of the Autorun directors.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Until the patch is issued and applied, all users of the affected products should disconnect them from the public Internet and search for the Indicators of Compromise (IoCs) shared by Huntress to determine if the flaw has already been exploited. The threat actor behind the attacks has not been identified. While the Clop cybercrime group has form in this area, having exploited zero-day vulnerabilities in the Accellion FTA, Fortra’s GoAnywhere, and Progress Software’s MOVEit file transfer solutions, security researcher Kevin Beaumont suggests the Termite ransomware group may be behind the attacks, and claims they have a working exploit for the vulnerability.
Update: December 12, 2024: Cleo Releases Patches
“Cleo strongly advises all customers to immediately upgrade instances of Harmony, VLTrader, and LexiCom to the latest released patch (version 5.8.0.24) to address additional discovered potential attack vectors of the vulnerability,” explained Cleo in its security update. “After applying the patch, errors are logged for any files found at startup related to this exploit, and those files are removed.”
Update: December 16, 2024: Clop Threat Group Claims Responsibility for Exploitation
The Clop threat group, aka Cl0p, has claimed responsibility for the initial exploit and the bypass identified by Huntress. The Clop group also claimed that if it detected data theft from government services, institutions, or medicine the data would be deleted without hesitation.
Due to recent events (attack of CLEO) all links to data of all companies will be disabled and data will be permanently deleted from servers,” said the Clop group in a post on its leak site. “We will work only with new companies. Happy New Year © CL0P^_.” The post suggests the data stolen in its previous mass attack, which exploited a zero-day vulnerability in Progress Software’s MOVEit solution in late May 2023, will be deleted.
