Attack Surface Management
,
Governance & Risk Management
,
Patch Management
Attackers Target Managed File Transfer Software Vulnerabilities
File transfer software made by Cleo Communications is under active attack and a patch meant to stymie hackers doesn’t fix the flaw, say security researchers from Huntress.
See Also: How to Empower IT with Immutable Data Vaults
Hackers are exploiting an arbitrary file-write vulnerability tracked as CVE-2024-50623 along with a feature in Cleo software that automatically executes files in the autorun directory.
Huntress said it first identified on Dec. 3 a vulnerability affecting Cleo’s LexiCom, VLTransfer, and Harmony software products. The privately held, Illinois file transfer company on Monday published a patch – but the fix “does not mitigate the software flaw,” Huntress wrote the same day.
Cybersecurity researchers say Cleo employees vowed during a Zoom call to develop a second patch. Cleo on Wednesday afternoon said it has identified an unauthenticated malicious hosts vulnerability that could lead to remote code execution, with a CVE identifier “pending.”
In an emailed statement, a Cleo spokesperson said the company promptly “launched an investigation with the assistance of outside cybersecurity experts, notified customers of this issue and provided mitigation steps customers should immediately take to address the vulnerability while a patch is under development. Our investigation is ongoing.”
Huntress advised Cleo customers to delete contents from the autorun directory, disabling attack paths through that function. “This will not prevent the arbitrary file-write vulnerability until a patch is released,” Huntress warned.
Cleo file transfer software are used in industries with large scale logistics and supply chain operations. Huntress wrote that it spotted “at least 10 businesses” with compromised Cleo servers, with a “notable uptick in exploitation observed on December 8 around 07:00 UTC.” The majority of customers with a Cleo hacking problem deal with consumer products, the food or industry, trucking, and shipping sectors. A search on Shodan showed 436 vulnerable servers, the vast majority of them located inside the United States.
The attack chain begins with hackers planting malicious files in the autorun directory triggering automatic execution. The files enable attackers to invoke PowerShell commands, gaining persistent access through webshells retrieved from external servers. Uploaded malicious autorun file have included the files healthchecktemplate.txt and healthcheck.txt.
Cybersecurity researcher Kevin Beaumont posted that among the cybercriminal groups exploiting the Cleo vulnerability is the Termite ransomware operation. Apparently active since April, Termite uses a modified version of leaked Babuk cryptolocker malware. It boosted its profile by claiming responsibility in late November for an attack against chain management software provider Blue Yonder that has disrupted operations at Starbucks and major British supermarket chains (see: Ransomware Attack on Supply Chain Provider Causes Disruption).
With reporting from Information Security Media Group’s David Perera in Washington, D.C.