Source: znakki via Shutteratock
Ransomware group "Termite" — which recently claimed supply chain vendor Blue Yonder as a victim — may be behind widespread exploit activity targeting a previously fixed vulnerability in Cleo's LexiCom, VLTransfer, and Harmony file transfer software.
Cleo is currently developing a new patch for the flaw but nothing is currently available for the issue, which means the vulnerability is a zero-day under active attack.
Widespread Attacks
The attacks appear to have begun on Dec. 3 and have claimed at least 10 victims across multiple sectors, including consumer products, trucking and shipping, and the food industry, according to researchers at Huntress Labs who are tracking the activity. A search for vulnerable, Internet-exposed Cleo systems suggests that the actual number of victims may be higher, the security vendor said.
Rapid7 also said it had received reports of compromise and post-exploit activity involving the Cleo vulnerability from multiple customers. "File transfer software continues to be a target for adversaries, and for financially motivated threat actors in particular," Rapid7 wrote in a blog post on Dec. 10. The company recommended affected organizations take "emergency action" to mitigate risk related to the threat.
More than 4,200 customers from multiple industries such as logistics and transportation, manufacturing, and wholesale distribution use Cleo software for a variety of use cases. Some recognizable names include Brother, New Balance, Duraflame, TaylorMade, Barilla America, and Mohawk Global.
Huntress identified the vulnerability that Termite is targeting as CVE-2024-50623, an unauthenticated remote code execution (RCE) flaw in versions of Cleo Harmony, VLTrader, and LexiCom prior to 5.8.0.21. Cleo disclosed the vulnerability in October and urged customers to immediately upgrade affected products to the fixed version 5.8.0.21.
However, the patch appears to have been insufficient, because all previously affected versions of Cleo software, including the patched 5.8.0.21, remain vulnerable to the same CVE, Huntress said. "This vulnerability is being actively exploited in the wild and fully patched systems running 5.8.0.21 are still exploitable," Huntress researcher John Hammond wrote. "We strongly recommend you move any Internet-exposed Cleo systems behind a firewall until a new patch is released."
Working on a Patch
Cleo has acknowledged the issue and said it plans to issue a new CVE, or identifier, for the bug. In an emailed statement, a company spokesperson described the flaw as a critical issue. The statement noted that Cleo has notified customers about the threat and advised them on how to mitigate exposure till its patch becomes available. "Our investigation is ongoing," the statement said. "Customers are encouraged to check Cleo's security bulletin webpage regularly for updates."
Hammond said Huntress's analysis of the threat actor's post-exploit activity showed the attacker deploying Web shell-like functionality for establishing persistence on compromised endpoints. Huntress also observed the threat actor enumerating potential Active Directory assets with nltest.exe and other domain reconnaissance tools.
In comments to Dark Reading, Huntress director of adversary tactics Jamie Levy says that available evidence points to Termite as the likely perpetrator. Like the victims of the ongoing attacks, Blue Yonder had an instance of Cleo's software open to the Internet, she says. Termite claimed Blue Yonder as one of its victims and appeared to confirm it by publicly listing files belonging to the company, Levy notes.
The New Cl0p?
"There have been some rumblings that Termite might be the new Cl0p," Levy says, and data has emerged that appears to substantiate those claims. Also, Cl0p's activities have waned while Termite's activities have increased. Both are operating in similar fashions. "We're not really in the attribution game, but it wouldn't be surprising at all if we are seeing a shift in these ransomware gangs at the moment," Levy says.
Max Rogers, senior director of security operations at Huntress, described the new Cleo zero-day as something that enables easy access to Cleo systems for attackers with the exploit code. "The most effective immediate action is to ensure that affected systems are not accessible from the Internet, which significantly reduces the risk of exploitation."
Rogers additionally recommends that organizations disable the autorun feature in Cleo software to limit the attack surface while waiting for an updated patch. "However, at this time," he says, "the only guaranteed way to protect systems is to make them inaccessible over the Internet until a new patch is out."