A notorious ransomware group has taken credit for the recent attacks exploiting vulnerabilities in file transfer products from enterprise software developer Cleo.
The attacks involve vulnerabilities affecting Cleo’s Harmony, VLTrader, and LexiCom file transfer tools. Attacks exploiting the flaws have been seen since December 3.
The vulnerabilities allow unauthenticated attackers to achieve remote code execution. In the attacks observed in recent weeks, the attackers have likely attempted to obtain files from organizations that have been using the vulnerable software.
When news of exploitation broke, security firm Huntress reported that the attacks involved CVE-2024-50623, which Cleo attempted to patch in October but failed to properly do so. Now, a new CVE identifier, CVE-2024-55956, has been assigned and Harmony, VLTrader and LexiCom versions 5.8.0.24 were released last week to patch it. Cleo is strongly urging customers to immediately update the software.
However, Rapid7 principal security researcher Stephen Fewer has analyzed both CVE-2024-50623 and CVE-2024-55956 and determined that the latter is not a bypass of the former. CVE-2024-55956 is a new unauthenticated file write vulnerability that has a different root cause than CVE-2024-50623, which is an unauthenticated file read/write issue.
“CVE-2024-55956 does occur in a similar part of the product code base as the CVE-2024-50623 and is reachable via the same endpoint in the target. However, the exploitation strategy differs greatly between the two vulnerabilities,” Fewer explained.
Both security holes appear to have been exploited in the wild, which indicates that the attacks actually involved exploitation of a zero-day vulnerability.
In a cryptic post on its Tor-based website, the notorious Cl0p ransomware group suggested that it is responsible for the Cleo campaign and that in the upcoming period it will focus on the organizations targeted through these recent attacks.
Advertisement. Scroll to continue reading.
Cl0p representatives confirmed to SecurityWeek that the group is taking credit for the Cleo attacks.
A new ransomware group named Termite was initially believed to be behind the Cleo attacks, with some members of the cybersecurity industry suggesting that there may be a link between Termite and Cl0p, specifically that Termite may be Cl0p’s successor.
However, Rapid7 senior director of threat analytics Christiaan Beek noted that it’s still possible that multiple threat groups have conducted attacks.
“Although Cl0p posted a message on their website, this is not hard evidence pointing to a single threat group’s involvement. Therefore, any discussion of whether Termite or Cl0p are behind this exploit is speculation until proven with other indicators/evidence,” Beek said in emailed comments.
He added, “It’s possible to confirm a group’s involvement by correlating the attack’s technical indicators, the tools and techniques used, and observations and technical analysis from the past, such as code similarity. By themselves each of these things aren’t a strong indicator, but together they paint a verifiable picture.”
Cl0p does not appear to have added any new victims to its leak website in recent days, but companies hit in the Cleo campaign will likely be named soon.
It’s unclear how many Cleo customers have been targeted in the recent attacks. Cl0p told SecurityWeek that it “cannot say for sure”, but it’s “quite a lot”.
Since news of exploitation emerged, there has been a steady number of roughly 1,300 internet-exposed instances of the Harmony, VLTrader and LexiCom products, according to Censys.
It’s not surprising that Cl0p has taken credit for the Cleo attacks. The ransomware group was also responsible for the MOVEit hack campaign, in which the cybercriminals exploited a zero-day in Progress Software’s MOVEit file transfer software to steal vast amounts of information from thousands of organizations.
The cybersecurity agency CISA on Friday added the Cleo product flaws to its Known Exploited Vulnerabilities (KEV) catalog, instructing federal agencies to address the security holes by early January 2025. The agency has confirmed that the vulnerabilities have been exploited by ransomware groups, but did not share any details.
Several cybersecurity firms have published an analysis of the malware delivered in the Cleo attacks, describing it as a Java-based post-exploitation framework and RAT that enables the attackers to conduct reconnaissance, execute commands, and exfiltrate files. The malware is tracked as Malichus (Huntress) and Cleopatra (Arctic Wolf).
*updated with information from Cl0p group
Related: QNAP Patches Vulnerabilities Exploited at Pwn2Own
Related: Microsoft Patches Exploited Vulnerability in Partner Network Website