Full Report
Two critical vulnerabilities in Cleo file transfer software—CVE-2024-50623 and CVE-2024-55956—have been actively exploited, leading to unauthorized data access and system compromise. The Clop ransomware gang has claimed responsibility for these attacks, leveraging zero-day exp...
Analysis Summary
# Incident Report: Active Exploitation of Cleo File Transfer Vulnerabilities by Clop Ransomware
## Executive Summary
Threat actors attributed to the Clop ransomware gang exploited two critical, actively exploited vulnerabilities (CVE-2024-50623 and CVE-2024-55956) in Cleo file transfer software. These zero-day exploits allowed for unauthorized data access, remote code execution, system compromise, and subsequent ransomware deployment across targeted networks.
## Incident Details
- Discovery Date: Circa October/December 2024 (based on patch release and subsequent exploitation reports)
- Incident Date: Ongoing exploitation beginning around or shortly after patch releases.
- Affected Organization: Organizations utilizing Cleo file transfer software (Harmony, VLTrader, LexiCom).
- Sector: Unspecified, likely spanning multiple sectors utilizing secure file transfer.
- Geography: Global (implied by software deployment).
## Timeline of Events
### Initial Access
- Date/Time: Ongoing prior to December 2024 reports.
- Vector: Exploitation of zero-day vulnerabilities (CVE-2024-50623 and CVE-2024-55956) in Cleo software.
- Details: CVE-2024-50623 (Unrestricted File Upload, initially misclassified) allowed RCE via malicious file uploads, bypassing an incomplete initial patch. CVE-2024-55956 allowed unauthenticated RCE via default Autorun directory settings.
### Lateral Movement
- Date/Time: Post-initial access.
- Vector: Privilege escalation and network pivoting utilizing compromised systems.
- Details: Attackers deployed Java-based RATs, launched PowerShell instances as shellcode loaders, and leveraged advanced techniques like OverPass-The-Hash to obtain Kerberos tickets and escalate privileges.
### Data Exfiltration/Impact
- Date/Time: Ongoing.
- Vector: Data theft and encryption.
- Details: Sensitive data was stolen, and Clop actors deployed ransomware to encrypt devices across corporate networks.
### Detection & Response
- Date/Time: Post-exploitation activity (detection timeline varies per victim).
- Vector: Security monitoring of unusual system behavior and public advisories.
- Details: Response actions for victims would involve containment, eradication of backdoors/RATs, and system recovery; specific organizational response actions are not detailed in the text.
## Attack Methodology
- Initial Access: Vulnerability exploitation (CVE-2024-50623, CVE-2024-55956).
- Persistence: Installation of Java-based backdoors/RATs capable of executing arbitrary commands.
- Privilege Escalation: OverPass-The-Hash observed, allowing NTLM hash abuse to gain Kerberos tickets.
- Defense Evasion: Exploiting zero-day flaws and bypassing initial vendor patches.
- Credential Access: Indirectly via hash acquisition/abuse (OverPass-The-Hash).
- Discovery: Reconnaissance using standard enumeration commands (`systeminfo`, `whoami`).
- Lateral Movement: Use of shellcode loaders (via PowerShell) to deploy Cobalt Strike beacon DLLs.
- Collection: Stealing sensitive data prior to encryption.
- Exfiltration: Implied data exfiltration occurred before ransomware deployment.
- Impact: Data encryption (RansomOp) and data theft.
## Impact Assessment
- Financial: High (potential costs associated with breach response, remediation, and ransomware demands).
- Data Breach: Theft of sensitive data (unspecified volume).
- Operational: Significant business disruption due to ransomware encryption across corporate networks.
- Reputational: High, due to association with the notorious Clop ransomware group targeting customer data systems.
## Indicators of Compromise
- Network Indicators: Cobalt Strike beacon C2 communications (requires specific C2 IP/domains, defanged).
- File Indicators: Malicious Java-based backdoors, Cobalt Strike beacon DLLs (64-bit).
- Behavioral Indicators: Excessive use of enumeration commands (`systeminfo`, `whoami`), PowerShell execution used for shellcode loading, suspicious network traffic associated with RATs/Cobalt Strike.
## Response Actions
- Containment measures: Isolation of affected Cleo file transfer servers and endpoint systems exhibiting malicious activity.
- Eradication steps: Removal of deployed backdoors, RATs, and Cobalt Strike binaries; patching *all* Cleo installations immediately.
- Recovery actions: Restoration of services from clean backups following forensic analysis and eradication efforts.
## Lessons Learned
- Zero-day vulnerabilities in core infrastructure components (like secure file transfer systems) pose an extreme risk.
- Patch management vigilance is crucial, as initial vendor fixes may be incomplete or bypassed (as seen with the incomplete fix for CVE-2024-50623).
- External file transfer gateways must be treated as high-value targets requiring enhanced monitoring for initial access techniques like RCE/unrestricted uploads.
## Recommendations
- Immediately upgrade all instances of Cleo Harmony, VLTrader, and LexiCom to versions beyond 5.8.0.24 to mitigate both known vulnerabilities.
- Implement strict segmentation and monitoring around all external-facing file transfer appliances.
- Deploy advanced endpoint detection and response (EDR) capable of detecting behavioral anomalies associated with file upload exploitation and PowerShell/shellcode execution.
- Review and audit configuration settings, particularly default directories, for unnecessary RCE paths.