December 11, 2024 at 07:41AM
The newly identified ransomware group Termite appears responsible for exploiting a vulnerability in Cleo’s file transfer software. This issue allows unauthorized file access and potential remote code execution, affecting around 1,700 servers, primarily in the US retail sector. Cleo plans to release a fix for the vulnerability soon.
### Meeting Takeaways
1. **Emerging Threat**: A new ransomware group called Termite is potentially responsible for recent attacks targeting vulnerabilities in Cleo’s file transfer tools.
2. **Vulnerability Details**:
– The vulnerability, tracked as CVE-2024-50623, affects Cleo’s Harmony, VLTrader, and LexiCom products, allowing unrestricted file uploads/downloads and remote code execution.
– The vulnerability was poorly patched in version 5.8.0.21 released in late October and has been actively exploited since at least December 3.
3. **Impact on Organizations**:
– Cybersecurity firm Huntress has reported attacks targeting approximately 1,700 servers, compromising at least 10 businesses.
– Rapid7 and Sophos have also identified exploitation attempts on over 50 hosts.
– Most affected organizations are located in North America, primarily in retail, as well as sectors like consumer products, food, trucking, and shipping.
4. **Active Threats & Goals**:
– Reconnaissance and post-exploitation activities have been observed, suggesting that attackers aim to steal sensitive information.
– The situation draws parallels with the MOVEit hack campaign involving the Cl0p ransomware group.
5. **Connection to Other Attacks**:
– Termite recently attacked supply chain management software Blue Yonder, compromising data from companies such as Starbucks and significant grocery chains.
6. **Cleo’s Response**:
– Cleo announced plans to release version 5.8.0.23 to address the vulnerability, with a new CVE identifier pending.
– In a private advisory, Cleo detailed that vulnerabilities could allow attackers to execute arbitrary commands on host systems due to default settings.
7. **Public Exposure**:
– Censys identified around 1,300 instances of Cleo’s affected products exposed to the internet, with nearly 80% located in the United States.
### Action Items
– Monitor ongoing developments regarding vulnerabilities in Cleo products and any actions taken by affected organizations.
– Prepare communications for clients within the sectors impacted by the attacks, especially those utilizing Cleo’s software.
– Stay informed about Cleo’s updates and the release schedule for version 5.8.0.23 to ensure timely application of fixes.