December 10, 2024 at 04:05PM
The ransomware group “Termite” is exploiting a recently disclosed vulnerability (CVE-2024-50623) in Cleo’s file transfer software, impacting multiple sectors. Although Cleo is developing a new patch, existing versions, including the patched one, remain vulnerable. Researchers advise immediate protective measures for exposed systems until a fix is released.
### Meeting Takeaways:
1. **Threat Overview**: The ransomware group “Termite” is suspected of exploiting a previously disclosed vulnerability (CVE-2024-50623) in Cleo’s file transfer software, including LexiCom, VLTransfer, and Harmony.
2. **Current Status**:
– Cleo is working on a new patch for the identified zero-day vulnerability but has not yet released it. The previously issued patch (version 5.8.0.21) has been deemed insufficient as systems running it remain vulnerable.
– Attacks have been ongoing since December 3, targeting at least 10 victims across industries such as consumer products, trucking, shipping, and food.
3. **Impact on Organizations**: Over 4,200 customers rely on Cleo software, including notable companies like Brother, New Balance, and Barilla America, which are at risk due to this vulnerability.
4. **Recommendations for Affected Organizations**:
– Implement **emergency actions** to mitigate risks, such as moving any Internet-exposed Cleo systems behind a firewall.
– Disable the autorun feature in Cleo software to limit the attack surface until a patch is available.
– Regularly check Cleo’s security bulletin for updates on the patch status.
5. **Investigative Findings**: Huntress Labs’ analysis indicates that the threat actor is establishing persistence on compromised endpoints and conducting domain reconnaissance, suggesting a sophisticated level of exploitation.
6. **Potential Shift in Ransomware Landscape**: There are indications that Termite may be emerging as a replacement for the Cl0p ransomware group, particularly as Cl0p’s activities have decreased.
7. **Next Steps**: Cleo will issue a new CVE identifier related to this critical flaw and is advising customers on measures to mitigate exposure until a new patch is released.
8. **Communication**: Huntress’s research team will continue to monitor the situation and report any significant developments regarding the ongoing attacks and impacted organizations.