Cleo recently addressed a critical vulnerability in their internet-facing Cleo Harmony, VLTrader, and LexiCom instances by releasing a security patch. This vulnerability was being exploited as a zero-day, allowing attackers to gain unauthorized access to vulnerable installations and establish a reverse shell connection to their servers for reconnaissance purposes.
The patch, version 5.8.0.24 of the three products, was released on Wednesday to close the security hole that attackers were taking advantage of. According to Huntress researcher John Hammond, the patch has proven effective in blocking the proof-of-concept exploit that was created based on the observed attacks.
Initially, there was some confusion regarding the specific vulnerability being exploited by the attackers. Hammond and other researchers suspected that attackers were leveraging CVE-2024-50623, which was a flaw addressed in a previous patch released in October 2024. However, further investigation revealed that there might have been another CVE-pending vulnerability that was being exploited instead. Cleo confirmed the existence of a separate issue and worked on crafting a new patch to address it.
Security companies, such as Sophos X-Ops and Huntress, have been monitoring the attacks and sharing insights into the malicious payloads being used by the attackers. Sophos X-Ops reported targeting of over 50 unique hosts, primarily in North American retail organizations. Huntress researchers identified a multi-stage malware implant used by the attackers, named Malichus, which establishes a connection from compromised servers to the attacker’s command and control server for downloading additional payloads.
The post-exploitation framework of the malware allows the attackers to carry out various operations, including deleting the initial payload, sending status updates to the C2 server, collecting files, retrieving Cleo configuration files, and executing commands on compromised systems. Rapid7 researchers visually explained the attack flow, showing the steps taken by the attackers after initial exploitation.
To mitigate risks, Cleo strongly recommends customers to apply the available patch immediately and consider disabling the Autorun feature. Restricting access to Cleo systems and conducting thorough investigations for indicators of compromise are also essential steps for organizations using these solutions. In case of compromise, organizations should widen their investigation to identify any potential spread of the attack to other systems on the network.
As the situation continues to unfold, cybersecurity experts like Kevin Beaumont warn of potential ransomware groups exploiting the Cleo vulnerability. Identifying the group behind these attacks remains a challenge, with Termite ransomware group being a strong contender based on previous activities. The ongoing updates on the situation will provide more clarity on the nature and extent of the attacks.
The recent assignment of a CVE identifier (CVE-2024-55956) to the exploited Cleo vulnerability and the inclusion of CVE-2024-50623 in CISA’s Known Exploited Vulnerabilities catalog indicate the severity and impact of these attacks. Stay tuned for further developments and security recommendations as the situation evolves.