December 10, 2024 at 08:44AM
Huntress reports widespread exploitation of a vulnerability in Cleo file management products, affecting patched systems. The bug, CVE-2024-50623, allows remote code execution, impacting over 1,700 servers. At least ten customers are compromised, prompting Huntress to recommend firewall protection and other mitigations while awaiting an updated patch from Cleo.
### Meeting Takeaways: Vulnerability Exploitation of Cleo Products
1. **Exploited Vulnerability**:
– Huntress has identified mass exploitation of CVE-2024-50623, an unauthenticated remote code execution (RCE) vulnerability affecting Cleo’s Harmony, VLTrader, and LexiCom products (version 5.8.0.21).
2. **Patching Status**:
– Cleo released patches for this vulnerability in October but exploitation continues even on patched systems.
3. **Extent of Exploitation**:
– Huntress observed exploit attempts on over 1,700 Cleo servers, with indications that the actual number may be much higher. At least ten customers are confirmed compromised.
4. **Affected Industries**:
– Compromised customers primarily include sectors such as consumer products, food, trucking, and shipping.
5. **Compromise Indicators**:
– A Shodan scan indicated approximately 390 other vulnerable servers potentially impacted.
6. **Attack Patterns**:
– Initial exploit attempts were reported starting December 3, 2023. Logs show attempts from multiple countries, including Moldova, the Netherlands, Canada, Lithuania, and the US.
7. **Research Findings**:
– Attackers use autorun files that are deleted after being processed to maintain stealth. They exploit Cleo’s Import functionality to execute malicious PowerShell commands and retrieve files, which are also deleted post-execution.
8. **Recommendations for Users**:
– Users should temporarily revert affected servers behind a firewall and delete the “Autorun Directory” field in their configurations as a mitigation step, until Cleo releases a new patch.
9. **Vendor Response**:
– Cleo is aware of the situation and indicated plans to release an updated patch soon but has not yet provided a timeline.
10. **Next Steps**:
– Monitor for Cleo’s updates and implement recommended mitigation strategies immediately.
### Action Items:
– **For Huntress**: Continue monitoring exploit attempts and share findings with affected organizations.
– **For Cleo Users**: Implement mitigation strategies and await further instructions from Cleo regarding patch release.