December 12, 2024 at 06:08AM
Cleo has updated its Harmony, VLTrader, and LexiCom file transfer tools to address a critical vulnerability (CVE-2024-50623) affecting several industries. The flaw allows unpatched systems to be exploited for file access and remote code execution. Security firms are analyzing related malware linked to ongoing attacks, suggesting widespread exploitation.
### Meeting Takeaways: Cleo Vulnerability and Security Update
1. **Security Update Release**: Cleo has released updates (version 5.8.0.24) for its Harmony, VLTrader, and LexiCom file transfer tools to address an actively exploited vulnerability (CVE-2024-50623).
2. **Nature of the Vulnerability**: The vulnerability allows unauthenticated attackers to perform unrestricted file uploads and downloads, potentially leading to remote code execution.
3. **Exploitation and Impact**: The flaw has been actively exploited since December 3, affecting various sectors including retail, food, and shipping. Security firms are analyzing the extent of these attacks.
4. **Urgent Patch Recommendation**: Cleo recommends that all customers upgrade to the latest patch immediately to mitigate potential attack vectors.
5. **Security Firm Insights**: Huntress confirmed that the latest patch appears effective against the vulnerability based on their proof-of-concept testing.
6. **Involvement of Threat Actors**: There are indications that the recent attacks may be linked to a new ransomware group named Termite, but multiple threat actors may also be exploiting the vulnerability due to the widespread nature of the exposure.
7. **Potential Outcomes of Exploitation**: The suspected intention behind the attacks is the theft of sensitive information from organizations using Cleo products, similar to the previous MOVEit hack campaign.
8. **Analysis of Malware**: Reports indicate that the malware used in these attacks acts as a Java-based post-exploitation framework and remote access trojan (RAT), facilitating reconnaissance, command execution, and file exfiltration.
9. **Technical Analysis Released**: Security firms, including WatchTowr, Huntress, Rapid7, and Binary Defense, have published analyses detailing the nature of the attacks and related malware.
### Next Steps
– **Immediate Action**: Ensure that all instances of Cleo products are upgraded to version 5.8.0.24.
– **Monitor for Threat Activity**: Stay informed on further updates from security firms and any developments regarding associated threat groups.
– **Review Security Protocols**: Evaluate current security measures to safeguard against remote code execution and similar vulnerabilities.