Tech
Fully patched Cleo products under ‘0-day-ish’ mass attack
Researchers at security shop Huntress are seeing mass exploitation of a vulnerability affecting three Cleo file management products, even on patched systems.
Cleo issued patches for CVE-2024-50623, an unauthenticated remote code execution (RCE) bug affecting Harmony, VLTrader, and LexiCom running version 5.8.0.21 – marketed as secure file integration and transfer products – back in October.
The situation was described by Huntress on Reddit as “zero-day-ish.” It’s a zero-day in the sense that it involves the novel exploit of a vulnerability, but “ish” because that vulnerability was already addressed, or so Cleo thought.
Huntress reported that exploit attempts were observed on more than 1,700 Cleo servers its security tools oversee, suggesting the true number of attempts may be much higher. Its threat advisory states that at least ten Cleo customers are believed to be compromised as a result.
“The majority of customers that we saw compromised deal with consumer products, food industry, trucking, and shipping industries,” Huntress researchers wrote. “There are still several other companies outside of our immediate view who are potentially compromised as well.”
The company’s post linked to a Shodan scan that suggested around 390 other servers may also be compromised at the time of writing.
Given the success Cl0p had with MOVEit MFT, a similar offering to the affected Cleo products, which is still claiming victims, the sightings have prompted a degree of alarm among the experts.
Huntress responded to Reddit contributors who said their logs showed exploit attempts starting on December 7, saying “we’ve seen similar,” before listing IPs in Moldova, the Netherlands, Canada, Lithuania, and the US. Its blog notes that there are signs these attempts first began on December 3, however.
The researchers said they were able to recreate what they think is the same exploit attackers are using and released sigma rules to detect possible exploitation and suspicious PowerShell spawns, plus a range of indicators of compromise (IOCs).
Huntress said it had already reported its findings to Cleo and over a Zoom call the vendor said it would be releasing an updated patch as soon as possible, although at the time of writing this was not available.
It added that Cleo customers should move any affected servers behind a firewall while they wait for patches to be released.
The Register asked Cleo for an update on proceedings but it did not immediately reply.
According to early analysis, the exploits involve a series of autorun files installed on compromised servers that are deleted immediately after being processed to retain a semblance of stealth.
Cleo’s native Import functionality is abused to read malicious files to invoke PowerShell commands, which then lead to code execution.
Huntress said a PowerShell command then contacts an external IP address to retrieve JAR files that contain “webshell-like functionality for persistence on the endpoint.” As with the autorun files, attackers also delete the JAR files to hide their tracks.
“For further post-exploitation, the threat actors were observed enumerating potential Active Directory assets with domain reconnaissance tools like nltest.exe.”
Huntress recommended that all Cleo users delete their “Autorun Directory” field in their affected software’s configuration as a mitigation to limit the code execution part of the attack. However, it doesn’t entirely prevent the arbitrary file-write part of the exploit and customers will have to wait for a patch here. ®