Attackers actively exploiting flaw(s) in Cleo file transfer software (CVE-2024-50623)
Attackers are exploiting a vulnerability (CVE-2024-50623) in file transfer software by Cleo – LexiCo, VLTransfer, and Harmony – to gain access to organizations’ systems, Huntress researchers warned on Monday.
“We’ve discovered at least 10 businesses whose Cleo servers were compromised with a notable uptick in exploitation observed on December 8 around 07:00 UTC. After some initial analysis, however, we have found evidence of exploitation as early as December 3,” they shared, and noted that there are more potential vulnerable Cleo servers out there.
What’s happening?
Which vulnerability are the attackers exploiting? Huntress researchers say it’s CVE-2024-50623, an unrestricted file upload and download vulnerability, a fix for which Cleo pushed out in late October 2024 in v5.8.0.21 of Harmony, VLTrader, and LexiCom.
Huntress researchers found that the patch provided by Cleo “does not mitigate the software flaw.”
According to a document that can only be viewed by customers logged in to the Cleo’s Solution Center, “this vulnerability has been leveraged to install malicious backdoor code on certain Cleo Harmony, VLTrader, and LexiCom instances in the form of a malicious Freemarker template containing server-side JavaScript”.
The document also provides indicators of compromise – two file hashes and an IPv4 address – associated with the attacks.
But the company has also published on Monday a separate advisory for an autorun exploit vulnerability – currently without a CVE number – that affects all the version of the aforementioned software, including v5.8.0.21.
The vulnerability “could allow an unauthenticated user to import and execute arbitrary bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory,” the company explained in a linked document (that’s behind the aforementioned registration wall).
“This vulnerability has been leveraged to place a randomly named file containing a malicious host in the /[cleo product]/temp directory and an import command in the /autorun directory. These malicious hosts have commands that attempt to establish a reverse shell connection from one or more suspicious IP addresses back into the Harmony, VLTrader, or LexiCom server.”
The IP addresses associated with these attacks shared by Cleo correspond (in part) with those shared by Huntress.
Huntress researchers have promised to update the blog as more details emerge from their end, but so far have found that the attackers are actively deleting some files after downloading and using them, to increase stealthiness. They have also observed the attackers enumerating potential Active Directory assets with Nltest, a built-in Windows Server command-line tool.
They do not mention observing any data / file exfiltration activity, but cyber extortion groups’ penchant for targeting enterprise file transfer tools is well known.
Mitigation and detection advice
Huntress researchers have advised organizations to move any internet-exposed Cleo systems behind a firewall until a new patch is released. They also counseled disabling the Autorun feature if it’s not used.
Cleo has provided scripts customers can use to automatically disable Autorun if they can’t do it via the user interface.
For those that use Autorun in day-to-day operations, the company advises:
- Changing the default Autorun directory to a custom name
- Searching for malicious files on the hosts and removing them (either manually or via provided scripts that locate and quarantine any malicious hosts)
- Blocking attack IP addresses at the network/firewall level
The company also laid out configuration changes that can be made by customers to restrict access to the servers, and advised using EDR solutions to monitor for unauthorized changes in configuration or other critical files.
According to Huntress, a new patch for CVE-2024-50623 is in the works and is safe to assume Cleo is also working on a patch for the autorun exploit vulnerability.
It seems that the attackers are exploiting both vulnerabilities, but we’ve reached out to Cleo for confirmation and more information, and we’ll update this article when we hear back from them.
UPDATE (December 10, 2024, 01:40 p.m. ET):
Cleo has updated the advisory for the exploited zero-day and changed its description to “unauthenticated malicious hosts vulnerability (CVE pending) that could lead to remote code execution.”
The company also says that it affects the Cleo Harmony, VLTrader, and LexiCom up to version 5.8.0.23 (which will soon be released).
Rapid7 researchers have also “confirmed successful exploitation of this issue in customer environments; similar to Huntress, our team has observed enumeration and post-exploitation activity and is investigating multiple incidents.”
Cybersecurity expert Kevin Beaumont said earlier today that “Termite ransomware group operators (and maybe other groups) have a zero day exploit for Cleo LexiCom, VLTransfer, and Harmony.”
UPDATE (December 10, 2024, 02:55 p.m. ET):
“In December, Huntress and other security firms observed multiple in-the-wild intrusions via Cleo software, VLTrader, LexiCom, and Harmony. On the compromised hosts were versions that varied, both prior to 5.8.0.21 and the patched 5.8.0.21,” Huntress researcher John Hammond told Help Net Security.
“These intrusions matched the pattern of ‘unrestricted file upload and remote code execution’ well enough for the industry to perceive this was exploitation of CVE-2024-50623, however, since this was exploited even on hosts with the ‘patched’ 5.8.0.21 version, it would mean either (a) the 5.8.0.21 patch was not enough to prevent CVE-2024-50623 and it could be bypassed, or (b) this was an entirely new attack vector.”
After observing in-the-wild tradecraft and recreating a proof of concept that Huntress believes matches what the threat actors are using in these attacks, they shared it with Cleo, and they confirmed Huntress’ analysis and research and told them they would be releasing a new patch and designating a new CVE, separate from CVE-2024-50623.
“Since we don’t know the full technical details of CVE-2024-50623, we don’t know if threat actors were exploiting that specific vulnerability, or executing an entirely attack vector (since it did successfully compromise patched versions). Candidly, there was no discussion of the original CVE-2024-50623 in our conversation, and Cleo didn’t express if what we were tracking was the CVE-2024-50623 vulnerability, or something new,” he added.
“Based on Cleo actively working to craft a new patch and designate a new CVE, it’s fair to assume the December exploitation is a separate issue from the October CVE, but truthfully Cleo is the only source that will know for sure. While the patterns of the attack line up, all that we can report on is our observations from the in-the-wild exploitation and our proof-of-concept that still successfully exploits versions including 5.8.0.21.”
UPDATE (December 10, 2024, 04:10 p.m. ET):
“We have identified a critical vulnerability in instances of Cleo Harmony, VLTrader, and LexiCom products. Promptly upon discovering the vulnerability, we launched an investigation with the assistance of outside cybersecurity experts, notified customers of this issue and provided mitigation steps customers should immediately take to address the vulnerability while a patch is under development,” a Cleo spokesperson shared the company’s response.
“Our investigation is ongoing. Customers are encouraged to check Cleo’s security bulletin webpage regularly for updates. Cleo remains focused on supporting its customers and has extended enhanced 24/7 customer support services to those needing additional technical assistance in addressing this vulnerability.”
UPDATE (December 12, 02:10 p.m. ET)
A more recent update on this story: Cleo has released a security patch to address the (still CVE-less) zero-day that is being exploited and researchers have analyzed the malicious payloads.
UPDATE (December 16, 2024, 01:25 p.m. ET):
Rapid7 researchers have analyzed CVE-2024-55956, which they say is not a patch bypass of CVE-2024-50623, and have explained how it’s being exploited.
CVE-2024-55956 is an unauthenticated file write vulnerability and the patch for it is working, they added.