Vulnerable Cleo Managed File Transfer Software Without Updates

Recent reports indicate over 200 Cleo managed file-transfer servers remain publicly accessible and without necessary updates, posing significant risks in light of a mass attack exploiting critical vulnerabilities discovered in the software. Despite warnings, these servers continue to be targets for cybercriminals.

According to cybersecurity firm Rapid7, “File-transfer software remains a prime target for adversaries, particularly financially motivated threat actors.” They have urged organizations to take “emergency action” to mitigate risks by disconnecting affected software from their networks until updates can be applied. The critical patch, version 5.8.0.24, was released on December 11.

Cleo Communications, based in Rockford, Illinois, serves around 4,000 organizations with its file-transfer solutions. An analysis via Shodan identified approximately 400 internet-exposed Cleo managed file-transfer servers, predominantly located in the U.S. Of these, only 199 had updated to the fully patched version. The remaining servers either operated an earlier patched version or an outdated version with known vulnerabilities.

The Clop ransomware gang recently suggested their involvement in these mass exploits through a “Happy New Year” message posted on their leak site. This incident marks the fifth campaign targeting vulnerabilities in widely used file-transfer software by the group.

Cybersecurity firms HannaC and Huntress alerted the industry on December 9 about signs of mass exploitation of Cleo software, having observed actors actively taking advantage of the vulnerabilities. The attacks reportedly began as early as December 3, targeting at least 28 Huntress customers.

Huntress noted that major retail organizations with operations primarily based in North America suffered significantly. Darktrace corroborated this information, reporting behavioral anomalies detected within clients’ environments, including a case where a Cleo server transferred over 500 megabytes of data to an external IP linked to previous Cleo-targeted attacks.

The vulnerabilities in Cleo’s software products, including Harmony, VLTrader, and LexiCom, have been categorized under various CVEs. Rapid7 identified two critical vulnerabilities that could allow unauthorized actors to upload any files remotely or execute arbitrary commands. This chain of exploits underscores the attackers’ likely use of initial access and privilege escalation tactics as classified in the MITRE ATT&CK framework.

Following the latest breaches, organizations using these products are advised to scrutinize logs for signs of compromise and post-exploitation activity dating back to early December. The unfolding situation raises alarms about a potential lack of awareness regarding the urgency of applying security updates in business-critical environments, which could lead to further data breaches and a subsequent escalation of ransomware threats.