Alert essentials:

Exposed Cleo file transfer products are being exploited for data theft in the wild. The previous patch was flawed; mitigate it now.

 

Email Team

 

Detailed threat description:

In late October 2024, Cleo released version 5.8.0.21 of its enterprise file transfer software products, Cleo Harmony, VLTrader, and LexiCom.

The release was to patch an unrestricted file upload and download issue, possibly resulting in remote code execution (RCE) with system privileges.

However, the release failed to patch the vulnerability properly, and bad actors have been exploiting it to drop an XML file on vulnerable systems. The file runs a PowerShell command, which retrieves a Java Archive file from a remote server. These JAR files are disguised as .txt files but contain a .ZIP file with functionality for stealthy persistence on the endpoint.

File transfer software continues to be exploited for spreading ransomware for financially motivated attacks. This campaign has been ongoing since at least December 3, with an explosion of activity on December 8, 2024.

Researchers have developed a proof-of-concept that works on patched and unpatched CLEO devices.

A newly identified ransomware group known as Termite is suspected of having a zero-day exploit for the flaw. The group gained widespread attention after claiming responsibility for a ransomware attack on Blue Yonder, a major SaaS provider.

They employ advanced tactics, such as double extortion, to increase the pressure on victims, making Termite a significant and growing threat. Analysis of a Termite ransomware sample revealed that Termite is essentially a rebranding of the notorious Babuk ransomware.

Cleo is expected to release a new patch soon, possibly next week. Until then, ensure vulnerable instances are not exposed to the internet and implement the mitigation below.

Suggested Mitigations:
Later stages of this exploit use the autoruns directory for code execution. It is possible to reconfigure Cleo software to disable the autorun directory with the following steps:

  • Go to the “Configure” menu of LexiCom, Harmony, or VLTrader
  • Select “Options”
  • Navigate to the “Other” pane
  • Delete the contents of the “Autorun Directory” field
  • The steps above will eliminate the processing of Autorun files

 

Impacts on healthcare organizations:

This vulnerability allows attackers to gain unauthorized access to systems, potentially stealing protected health information, which can result in compromised patient privacy and identity theft.

Due to disruptions in healthcare systems and services, the hospital may experience delays in medical procedures. Additionally, organizations can experience significant financial loss and reputational damage.

To mitigate these risks, healthcare organizations should immediately update affected Cleo products to version 5.8.0.21 or later, implement strict access controls, and monitor systems for suspicious activities.

 

Affected Products / Versions:

Cleo Harmony, VLTrader, and LexiCom software versions before 5.8.0.2.

CVEs
CVE-2024-50623

Indicators of Compromise (IoCs)

  • 176.123.5.126 – AS 200019 (AlexHost SRL) – Moldova
  • 5.149.249.226 – AS 59711 (HZ Hosting Ltd) – Netherlands
  • 185.181.230.103 – AS 60602 (Inovare-Prim SRL) – Moldova
  • 209.127.12.38 – AS 55286 (SERVER-MANIA / B2 Net Solutions Inc) – Canada
  • 181.214.147.164 – AS 15440 (UAB Baltnetos komunikacijos) – Lithuania‍
  • 192.119.99.42  – AS 54290 (HOSTWINDS LLC) – United States

 

Recommendations

Engineering recommendations:

  • Move internet-exposed Cleo systems behind a firewall
  • Disable the autorun feature
  • Change the default autorun directory to a custom name
  • Implement strict input validation for file operations
  • Monitor systems for suspicious activities
  • If you are not a Huntress partner, review the host’s subdirectory in your software installation directory to determine if you have been affected
  • The presence of a main.xml or a 60282967-dc91-40ef-a34c-38e992509c2c.xml file (a name that looks to be reused across infections) with an embedded PowerShell-encoded command is a definitive indicator of compromise

 

Leadership/ Program recommendations:

  • Apply the principle of least privilege
  • Cleo is currently working on a new patch to address the issue, which is expected to be released soon
  • Consider implementing additional network segmentation to isolate affected systems

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.

 

References: