Attackers actively exploiting flaw(s) in Cleo file transfer software (CVE-2024-50623)

Attackers are exploiting a vulnerability (CVE-2024-50623) in file transfer software by Cleo – LexiCo, VLTransfer, and Harmony – to gain access to organizations’ systems, Huntress researchers warned on Monday.

“We’ve discovered at least 10 businesses whose Cleo servers were compromised with a notable uptick in exploitation observed on December 8 around 07:00 UTC. After some initial analysis, however, we have found evidence of exploitation as early as December 3,” they shared, and noted that there are more potential vulnerable Cleo servers out there.

What’s happening?

What vulnerability are the attackers exploiting? Huntress researchers say it’s CVE-2024-50623, an unrestricted file upload and download vulnerability, a fix for which Cleo pushed out in late October 2024 in v5.8.0.21 of Harmony, VLTrader, and LexiCom.

Huntress researchers found that the patch provided by Cleo “does not mitigate the software flaw.”

According to a document that can only be viewed by customers logged in to the Cleo’s Solution Center, “this vulnerability has been leveraged to install malicious backdoor code on certain Cleo Harmony, VLTrader, and LexiCom instances in the form of a malicious Freemarker template containing server-side JavaScript”.

The document also provides indicators of compromise – two file hashes and an IPv4 address – associated with the attacks.

But the company has also published on Monday a separate advisory for an autorun exploit vulnerability – currently without a CVE number – that affects all the version of the aforementioned software, including v5.8.0.21.

The vulnerability “could allow an unauthenticated user to import and execute arbitrary bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory,” the company explained in a linked document (that’s behind the aforementioned registration wall).

“This vulnerability has been leveraged to place a randomly named file containing a malicious host in the /[cleo product]/temp directory and an import command in the /autorun directory. These malicious hosts have commands that attempt to establish a reverse shell connection from one or more suspicious IP addresses back into the Harmony, VLTrader, or LexiCom server.”

The IP addresses associated with these attacks shared by Cleo correspond (in part) with those shared by Huntress.

Huntress researchers have promised to update the blog as more details emerge from their end, but so far have found that the attackers are actively deleting some files after downloading and using them, to increase stealthiness. They have also observed the attackers enumerating potential Active Directory assets with Nltest, a built-in Windows Server command-line tool.

They do not mention observing any data / file exfiltration activity, but cyber extortion groups’ penchant for targeting enterprise file transfer tools is well known.

Mitigation and detection advice

Huntress researchers have advised organizations to move any internet-exposed Cleo systems behind a firewall until a new patch is released. They also counseled disabling the Autorun feature if it’s not used.

Cleo has provided scripts customers can use to automatically disable Autorun if they can’t do it via the user interface.

For those that use Autorun in day-to-day operations, the company advises:

• Changing the default Autorun directory to a custom name
• Searching for malicious files on the hosts and removing them (either manually or via provided scripts that locate and quarantine any malicious hosts)
• Blocking attack IP addresses at the network/firewall level

The company also laid out configuration changes that can be made by customers to restrict access to the servers, and advised using EDR solutions to monitor for unauthorized changes in configuration or other critical files.

According to Huntress, a new patch for CVE-2024-50623 is in the works and is safe to assume Cleo is also working on a patch for the autorun exploit vulnerability.

It seems that the attackers are exploiting both vulnerabilities, but we’ve reached out to Cleo for confirmation and more information, and we’ll update this article when we hear back from them.