Summary
- The ransomware group Cl0p has claimed responsibility for the ongoing exploitation of a zero-day vulnerability in fully patched versions of Cleo’s file management software, which allows for remote code execution (‘RCE’).
- Cleo customers should immediately update their software to the latest version (5.8.0.24), ensuring any systems running Cleo software are not exposed to the internet until patching has been applied.
- Victims may not be aware their data has been exposed. If you are contacted by Cl0p or any other threat actors in relation to the breach, please reach out to S-RM for support.
What happened?
In early December 2024, security researchers identified ongoing exploitation of a critical vulnerability – allowing for remote code execution and data theft - in several data management tools published by the US software developer Cleo:
- Cleo Harmony (version 5.8.0.21 and below)
- Cleo VLTrader (version 5.8.0.21 and below)
- Cleo LexiCom (version 5.8.0.21 and below)
A similar vulnerability (initially reported by Cleo as CVE-2024-50623) was thought to have been addressed in a patch (version 5.8.0.21) released in October. However, security researchers successfully recreated the new exploit in fully patched versions of the software.
Cleo has issued an update to its initial advisory note (under CVE-2024-55956) and released a new patch (version 5.8.0.24) to address the vulnerability.
On 16 December 2024, the ransomware group Cl0p claimed responsibility for the Cleo attacks via a statement on their leak site which indicated victims’ data would be posted over the coming days. As of 16 December 2024, Cl0p’s claim has not been verified, however, the same group was responsible for previous similar mass zero-day software exploits, most notably the MOVEIt Transfer exploit from June 2023.
How?
CVE-2024-55956 allows attackers to arbitrarily write files into directories on servers running the vulnerable software, including an ‘autorun’ directory, in order to execute the process and then automatically delete files. Attackers can drop a .txt file into the ‘autorun’ folder which calls and processes other files held locally on the system. Attackers then drop a second file into another directory for processing by the ‘autorun’ function.
This second file allows for arbitrary remote code execution, for example PowerShell commands with instructions to contact external IP addresses and download further files – such as malicious web shells – to gain a foothold on the server and begin post-exploitation activities, such as domain reconnaissance.
What should I do?
As at 16 December 2024, our preliminary research identified at least 400 unique systems exposed to the public internet still running outdated Cleo software. The total number may be significantly higher.
For anyone potentially affected, our key recommendations are:
- Cleo users should immediately apply the latest patch, ensuring vulnerable software is updated to version 5.8.0.24 (available here).
- Any systems running Cleo software should not be exposed to the internet, or at least be moved behind a firewall, requiring additional authentication for access until the patching has been completed.
- Even if your enterprise does not use Cleo, your key vendors and data partners may be exposed. We recommend conducting or engaging in enhanced dark web over the next few weeks to track any potential breaches.
What will happen next?
It is likely that victims’ stolen data will be posted on by Cl0p – and possibly other threat actors – over the coming days and weeks. As with the MOVEIt exploit, the named victims will likely not only include those who were directly breached, but anyone whose data has been exposed. Many victims might not be aware their data is at risk until they are named on the site.
If you are contacted by any actors claiming to possess your data, consider engaging expert help. S-RM’s incident response team is well-placed to support victims with environment containment checks and threat actor engagement, following our experience handling similar software breaches in the past, including MOVEIt.
