December 10, 2024 at 11:48AM
Users of Cleo-managed file transfer software are urged to secure their systems due to exploitation of a remote code execution vulnerability (CVE-2024-50623). Despite patches, the issue persists, affecting products like Cleo Harmony and VLTrader. At least 10 companies have been compromised, with evidence of ransomware involvement.
### Meeting Takeaways – Vulnerability / Threat Analysis (Dec 10, 2024)
1. **Urgent Security Advisory**:
– Users of Cleo-managed file transfer software are advised to secure their instances against internet exposure due to widespread exploitation of a vulnerability identified as CVE-2024-50623.
2. **Vulnerability Details**:
– Discovered by Huntress on December 3, 2024.
– Affects Cleo’s LexiCom, VLTransfer, and Harmony software with instances up to version 5.8.0.23.
– The vulnerability involves unauthenticated remote code execution due to unrestricted file uploads, enabling potential arbitrary code execution.
3. **Current Exploitation**:
– Attackers are exploiting the vulnerability to deploy malicious files, including XML configured to execute embedded PowerShell commands that download further malware.
– Compromised organizations include those in consumer products, logistics, shipping, and food supply sectors.
4. **Patch Limitations**:
– Patches for CVE-2024-50623 do not fully mitigate the vulnerability.
– An additional vulnerability concerning unauthenticated malicious hosts has been identified, with an advisory pending.
5. **Incident Reports**:
– At least 10 businesses have reported exploitation of their Cleo servers.
– A rise in exploitation activity was noted on December 8, 2024.
6. **Threat Actor Activity**:
– Attackers, including the Termite ransomware group, are leveraging this vulnerability.
– Evidence suggests potential involvement of ransomware operators utilizing a modified Babuk ransomware variant for attacks.
7. **Recommended Actions for Users**:
– Ensure that all software is up-to-date to mitigate risk.
– Take immediate measures to protect instances from unauthorized internet access.
8. **Continuous Monitoring**:
– Organizations should remain vigilant and monitor developments regarding exploitation tactics and emerging vulnerabilities in managed file transfer tools.
Follow-up with relevant teams to ensure compliance and address any security vulnerabilities promptly.