Ransomware Attackers Target Cleo Software Zero-Day Vulnerability

Update Dec. 12, 2024 00:34 UTC: A spokesperson for Cleo has announced that the company has released an urgent patch in response to active hacking attempts targeting its file transfer software. Customers are advised to apply the patch without delay.

Related Read: How to Empower IT with Immutable Data Vaults

Security researchers at Huntress have reported that Cleo Communications’ file transfer software is currently under siege, with attackers exploiting a serious vulnerability that a recent patch failed to adequately resolve. This vulnerability, categorized as CVE-2024-50623, allows for arbitrary file writes and is being used in conjunction with a feature that triggers automatic execution of files located in the software’s autorun directory.

Huntress initially detected the vulnerability affecting several Cleo products, including LexiCom, VLTransfer, and Harmony, on December 3. On December 11, Cleo issued a patch; however, Huntress reported that this fix “does not mitigate the software flaw,” raising urgent concerns about the ongoing security risk.

In response to the situation, Cleo has committed to developing an additional patch and has reported discovering another vulnerability that could facilitate remote code execution. The company has declared that a CVE identifier for this new flaw is currently pending.

In a recent communication, a representative from Cleo stated that the company had initiated an extensive investigation, enlisting the help of external cybersecurity specialists, and has provided customers with immediate mitigation strategies. The investigation is still underway.

Cybersecurity experts have advised customers using Cleo’s software to remove files from the autorun directory as a stopgap measure to obstruct potential attacks via this method. They caution that while this action may disable certain attack vectors, it will not close off the arbitrary file-write vulnerability until a comprehensive patch is issued.

Targeting sectors reliant on advanced logistics and supply chain operations, Cleo’s software appears to have been compromised in various organizations. Huntress identified at least ten businesses with hacked Cleo services, notably on December 8, which saw a surge in exploit activity. A search through Shodan revealed 436 vulnerable servers primarily based in the United States.

The attack sequence reportedly begins with hackers placing malicious files in the autorun directory, which are then executed automatically. This action enables attackers to run PowerShell commands, establishing persistent access via webshells sourced from external locations. Malicious files associated with these attacks include healthchecktemplate.txt and healthcheck.txt.

Among the groups exploiting this vulnerability, cybersecurity researcher Kevin Beaumont highlighted the involvement of the Termite ransomware operation, which has been active since April. This group is utilizing a modified Babuk cryptolocker strain to extort businesses, including a recent attack that disrupted operations for major retailers like Starbucks.

Reporting contributed by Information Security Media Group’s David Perera in Washington, D.C.