Full Report
The bug was initially tagged as CVE-2024-50623 in October and patched by the company, but researchers from cybersecurity firm Huntress discovered that systems were still vulnerable even after applying the fix.
Analysis Summary
# Vulnerability: Cleo File Transfer Products Exploited Due to Persistent Flaw
## CVE Details
- CVE ID: CVE-2024-50623 (Initial tag, a new CVE is being generated for the current issue)
- CVSS Score: Not explicitly stated (Inferred High due to active exploitation and critical nature, but exact score unavailable)
- CWE: Not specified
## Affected Systems
- Products: Cleo Harmony, VLTrader, LexiCom
- Versions: Systems that were patched previously but are still vulnerable, suggesting flaws in the initial patch implementation or the underlying vulnerability persisting across initial patching efforts.
- Configurations: Instances of Cleo software exposed to the internet were specifically noted (e.g., the Blue Yonder instance).
## Vulnerability Description
A critical vulnerability existed in Cleo file sharing products (Harmony, VLTrader, LexiCom). Although initially addressed under CVE-2024-50623 in October, subsequent research revealed that many systems remained vulnerable even after applying the initial fix. A new patch was released specifically to address the issue that persisted post-initial remediation. Threat actors are actively exploiting this ongoing flaw, deploying a new malware family named Malichus for initial access and reconnaissance.
## Exploitation
- Status: Exploited in the wild (Active mass exploitation campaign observed starting December 7th).
- Complexity: High (Attackers demonstrated intimate knowledge of the software and deployed a clever attack; threat actors appear sophisticated).
- Attack Vector: Network (Used for initial access).
## Impact
- Confidentiality: High (Attackers are performing enumeration after gaining access, suggesting data discovery is a goal).
- Integrity: High (Deployment of malware/backdoors).
- Availability: Potential (If subsequent ransomware execution occurs, though currently primarily focused on reconnaissance).
## Remediation
### Patches
- **New Patch Issued:** Cleo released a new patch on Wednesday night to resolve the issue that persisted after the initial CVE-2024-50623 fix. Customers must apply this latest version immediately.
### Workarounds
- **Block Exploiting IP Addresses:** Customers should apply instructions from the private advisory to block a set of known malicious IP addresses observed exploiting the bug.
- **Customer Support:** Cleo has extended enhanced 24/7 customer support for assistance in remediation.
## Detection
- **Malware Family:** Look for activity related to the **Malichus** malware family being deployed post-exploitation.
- **Activity Observed:** Initial compromise involves obtaining persistence, establishing Command and Control (C2) communication, and performing environment enumeration.
- **Indicators of Compromise (IoCs):** Blocking identified malicious source IP addresses.
- **Detection Methods:** Utilize Endpoint Detection and Response (EDR) tools to monitor for post-exploitation activity consistent with network reconnaissance originating from the affected Cleo services.
## References
- support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory-CVE-2024-50623
- support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Update
- huntress.com/blog/cleo-software-vulnerability-malware-analysis
- therecord.media/multiple-cleo-file-transfer-products-exploited-by-hackers
- arcticwolf.com/resources/blog/cleopatras-shadow-a-mass-exploitation-campaign/
- labs.watchtowr.com/cleo-cve-2024-50623/
- rapid7.com/blog/post/2024/12/11/etr-modular-java-backdoor-dropped-in-cleo-exploitation-campaign/