Attackers Exploit Managed File Transfer Vulnerabilities
Update Dec. 12, 2024, 00:34 UTC: Cleo Communications has issued a new patch to counteract ongoing exploitation of its file transfer software. A company spokesperson strongly advises customers to apply this patch immediately.
Critical Zero-Day Vulnerability in Cleo Software
File transfer software from Cleo Communications is under active attack, with security researchers from Huntress warning that the released patch does not fully address the critical flaw. The vulnerability, tracked as CVE-2024-50623, enables arbitrary file writing and combines with an autorun feature in Cleo’s software to allow malicious file execution.
Huntress first identified the issue on Dec. 3, pinpointing its impact on Cleo’s LexiCom, VLTransfer, and Harmony software products. Despite Cleo’s efforts to release a fix on Monday, Huntress noted the patch was insufficient to mitigate the risk.
During a subsequent Zoom call, Cleo employees pledged to develop a second patch. By Wednesday, Cleo announced the discovery of an additional unauthenticated malicious host vulnerability capable of leading to remote code execution. The associated CVE identifier is currently pending.
In a statement, Cleo emphasized its swift response, stating, “We launched an investigation with the help of external cybersecurity experts, notified our customers, and provided immediate mitigation steps while we continue to develop a comprehensive patch.”
Temporary Mitigation Measures
Huntress recommends that Cleo customers delete files within the autorun directory to disable exploitation via that function. However, the arbitrary file-write vulnerability remains unaddressed until a more robust patch is deployed.
Industries and Businesses at Risk
Cleo’s file transfer software is widely used in industries involving large-scale logistics and supply chains. Huntress has identified at least 10 businesses with compromised Cleo servers, observing a significant increase in exploitation activity on Dec. 8 at approximately 07:00 UTC. Most affected organizations operate in consumer products, food distribution, trucking, and shipping sectors. A Shodan search revealed 436 vulnerable servers, predominantly located in the United States.
Attack Methodology and Key Actors
The attack chain begins with hackers planting malicious files in the autorun directory, leading to automatic execution. These files enable attackers to execute PowerShell commands and establish persistent access through webshells retrieved from external servers. Examples of uploaded malicious files include healthchecktemplate.txt and healthcheck.txt.
Cybersecurity researcher Kevin Beaumont has linked the Termite ransomware operation to this exploitation. Active since April, Termite utilizes a modified version of the Babuk cryptolocker malware. The group gained notoriety after claiming responsibility for an attack on Blue Yonder, a supply chain software provider. This attack disrupted operations at Starbucks and several major British supermarket chains.
Looking Forward
The ongoing exploitation of Cleo’s software highlights the critical need for rapid response and robust patching in today’s cybersecurity landscape. As the investigation unfolds, Cleo’s customers are urged to remain vigilant and implement recommended mitigation measures. Organizations relying on managed file transfer software must prioritize updates and security protocols to mitigate emerging threats.
0 Comments