Cleo has released a security patch to address the critical vulnerability that started getting exploited while still a zero-day to breach internet-facing Cleo Harmony, VLTrader, and LexiCom instances.
Version 5.8.0.24 of the three products, which was pushed out on Wednesday, plugs the hole that allowed attackers into vulnerable installations, where they moved to establish a reverse shell connection to their servers and perform reconnaissance.
Huntress researcher John Hammond confirmed that the patch is effective at blocking the proof-of-concept exploit they (re)created based on the attacks they’ve observed.
Clearing up the confusion
Huntress researchers initially believed that the attackers were leveraging CVE-2024-50623, and that the attack was made possible by Cleo fumbling a patch for the flaw that was incorporated in v5.8.0.21 of Harmony, VLTrader, and LexiCom in October 2024.
As Hammond told Help Net Security on Tuesday, even after conferring with Cleo about their PoC exploit, they are still unclear on whether the attackers are exploiting CVE-2024-50623 (an unrestricted file upload and download vulnerability) or the other CVE-pending vulnerability Cleo finally fixed on Wednesday.
“Based on Cleo actively working to craft a new patch and designate a new CVE, it’s fair to assume the December exploitation is a separate issue from the October CVE, but truthfully Cleo is the only source that will know for sure,” he told us.
Attack flow and malware
In the meantime, various security companies have been warning about the attacks they’ve detected and have shared insight into the malicious payloads the attackers have been dropping.
Sophos X-Ops says that they’ve seen 50+ unique hosts targeted by attackers, mostly belonging to retail organizations that operate within North America.
Huntress researchers have published an analysis of the multi-stage malware implant that the attackers are using, which they’ve dubbed Malichus. It creates a connection from compromised servers to the attacker’s command and control (C2) server to download next-stage payloads.
“The final stage is a modular Java-based post-exploitation framework which contains a significant amount of functionality. The framework supports both Linux and Windows however Huntress only observed usage on Windows,” they shared.
The post-exploitation framework:
- Deletes the first stage payload (downloader)
- Sends out status updates to the C2 server
- Allows operators to read and collect files or directories
- Allows operators to retrieve Cleo configuration files (for information about the installation) and issue execution commands
- Allows operators to perform basic read and write operations on the filesystem
Rapid7 researchers have visually explained the attack flow thus:
Attack flow (Source: Rapid7)
After initial exploitation, they’ve also observed the attacker:
- Executing commands aimed at gathering user, group and system information from the impacted system and displaying domain trust relationships
- Executing an overpass-the-hash attack to create a valid Kerberos ticket and thus gain access to additional network resources within the impacted environment.
What should organizations that use these Cleo solutions do?
“Cleo strongly recommends customers apply the available patch immediately,” a company spokesperson told Help Net Security.
Disabling the Autorun feature can also hobble the attacker’s exploit. Restricting access to Cleo systems – e.g., by putting them behind a firewall or by setting up a limited IP allowlist – is also a good idea, especially if updating is impossible at the moment.
But it’s also crucial to investigate whether your instances have been accessed and compromised by the attackers. Cleo has provided indicators of compromise, advice and scripts for locating malicious files and locating and quarantining affected hosts (in a document behind a registration wall), and Huntress and Rapid7 have shared some, as well.
If there’s evidence of compromise, you should widen your investigation to discover whether the attacker has jumped on other systems on your network.
According to cybersecurity expert Kevin Beaumont, “Termite ransomware group operators (and maybe other groups) have a zero day exploit for Cleo LexiCom, VLTransfer, and Harmony.”
We still don’t know which group or groups are behind these attacks, but Termite is a strong contender: the group has claimed the attack on Blue Yonder, and they reportedly had an internet-facing Cleo instance.