A ransomware group known as “Termite” has recently been linked to a string of cyber attacks targeting a vulnerability in Cleo’s LexiCom, VLTransfer, and Harmony file transfer software. The group, which made headlines after claiming supply chain vendor Blue Yonder as a victim, has been exploiting a previously fixed vulnerability in Cleo’s software, leaving many organizations vulnerable to attack.
The attacks, which reportedly began on Dec. 3, have already affected at least 10 victims across various industries, including consumer products, trucking and shipping, and the food industry. Security researchers at Huntress Labs have been closely monitoring the situation and have warned that the actual number of victims could be much higher than reported.
Rapid7, another cybersecurity firm, has also received reports of compromise and post-exploit activity related to the Cleo vulnerability from multiple customers. The company emphasized the ongoing threat posed by such vulnerabilities, especially for financially motivated threat actors.
Cleo, the software company behind the affected products, is currently working on developing a new patch to address the flaw. Despite their efforts, the company has confirmed that there is currently no available patch, leaving the vulnerability as a zero-day threat that is actively being exploited by cybercriminals.
Huntress Labs identified the specific vulnerability, known as CVE-2024-50623, as an unauthenticated remote code execution (RCE) flaw in Cleo’s software versions prior to 5.8.0.21. Although Cleo disclosed the vulnerability in October and urged customers to upgrade to the fixed version, it appears that the initial patch was ineffective, as all versions of the software remain vulnerable.
In response to the ongoing attacks, Cleo has acknowledged the severity of the issue and plans to issue a new identifier for the bug. The company has advised affected customers to take immediate action to mitigate their exposure until a new patch is released, emphasizing the critical nature of the flaw.
Security researchers at Huntress noted that the threat actor behind the attacks has been deploying Web shell-like functionality to maintain persistence on compromised systems. They also observed the attacker using domain reconnaissance tools to identify potential Active Directory assets, indicating a sophisticated and targeted approach.
There are growing concerns within the cybersecurity community that Termite may be the new iteration of the notorious Cl0p ransomware group. Evidence suggests that Termite’s activities are on the rise, while Cl0p’s activities have begun to wane. The similarities in their operations have raised suspicions of a potential shift in the landscape of ransomware gangs.
As organizations await a new patch from Cleo, security experts recommend taking immediate precautions by restricting access to affected systems and disabling certain features to reduce the attack surface. The ultimate goal is to safeguard against exploitation until a comprehensive solution is made available to address the vulnerability effectively.
In conclusion, the cyber attacks targeting Cleo’s software highlight the persistent threat posed by ransomware groups and the importance of proactive cybersecurity measures in today’s digital landscape. Organizations must remain vigilant and take necessary steps to protect their systems and data from evolving cyber threats.