Security researchers at Huntress discovered that a vulnerability in Cleo file transfer software was being actively exploited in the wild.
Security researchers at Huntress discovered that a vulnerability in Cleo file transfer software was being actively exploited in the wild.
This flaw left systems using Cleo's LexiCom, VLTransfer, and Harmony software vulnerable to RCE attacks, despite the release of an initial patch. Huntress conducted an independent analysis and found that the initial patch failed to fully address the software flaw.
Attack Flow
The attack begins with the placement of files in the system’s autorun directory, leveraging a file-write vulnerability.
These files trigger Cleo’s native "Import" functionality to process a disguised ZIP archive containing malicious configurations. One such file, main.xml, stages commands that execute a Base64-encoded PowerShell script.
This script connects to external servers to download additional malicious components, enabling persistence and remote control.
By using Cleo's native operational features, the attackers maintain a low profile while also deleting key files post-execution to reduce traces of their activity. They further perform reconnaissance, using tools like nltest.exe to map network resources like Active Directory.
Impacted Sectors
According to Huntress, targeted sectors included consumer products, food, trucking, and shipping, with exploitation surging between December 3 and December 8.
Huntress reported, “From our telemetry, we’ve discovered at least ten businesses whose Cleo servers were compromised with a notable uptick in exploitation observed on December 8 around 07:00 UTC.”
Additionally, Kevin Beaumont (aka GossiTheDog) reported that the Termite ransomware group, and possibly other groups, have a zero-day vulnerability for Cleo LexiCom, VLTransfer, and Harmony.
Latest Updates
A new issue has since emerged, according to Cleo’s latest security advisory. Cleo has identified a new vulnerability that allows attackers to remotely exploit Cleo software without requiring valid credentials, potentially leading to remote code execution.
According to Cleo’s latest security advisory, the following products remain vulnerable:
- Cleo Harmony (up to version 5.8.0.23)
- Cleo VLTrader (up to version 5.8.0.23)
- Cleo LexiCom (up to version 5.8.0.23)
Immediate Actions for Cleo Users
If you or your organization uses any of the Cleo systems mentioned above, here’s what you can do:
- Move any Cleo systems that are accessible over the internet behind a firewall. This practice minimizes exposure to potential exploitation attempts.
- Monitor Cleo for the latest security patches to address the identified vulnerabilities. Regularly check Cleo’s website or subscribe to their security advisories to stay informed about updates.
- Reach out to Cleo’s support team for guidance and assistance. Cleo has opened 24x7 customer support access for all customers, regardless of their support level, to help address concerns related to this vulnerability.
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.