(Credit: JUN LI via Getty Images)
UPDATE 12/12: Cleo has published a patch through version 5.8.0.24 to fix the flaw and is urging customers to install it.
Original story:
Uh oh. Hackers are actively exploiting a new software vulnerability to break into file-transfer services used widely across the industry.
These zero-day attacks are targeting products from Cleo, an IT supply chain software provider that serves over 4,000 companies including Walmart, Target, and Home Depot.
On Monday, cybersecurity vendor Huntress warned about hackers targeting Cleo’s LexiCom, VLTransfer, and Harmony software, which store and transfer files. Cleo rolled out a patch in late October, but the software flaw can still be exploited.
“This vulnerability is being actively exploited in the wild and fully patched systems running 5.8.0.21 are still exploitable,” Huntress said. “We strongly recommend you move any internet-exposed Cleo systems behind a firewall until a new patch is released.”
The vulnerability, dubbed CVE-2024-50623, is particularly bad because it can pave the way for unrestricted file uploads and downloads while also enabling the attack to run malicious computer code. Huntress discovered the hackers planting files, including healthchecktemplate.txt, into the autorun folder to help kick off the attacks, which also involves running a PowerShell command to execute more malicious computer code.
“From our telemetry, we’ve discovered at least 10 businesses whose Cleo servers were compromised with a notable uptick in exploitation observed on December 8 around 07:00 UTC,” Huntress says. “After some initial analysis, however, we have found evidence of exploitation as early as December 3. The majority of customers that we saw compromised deal with consumer products, food industry, trucking, and shipping industries.”
The attack echoes last year’s breach involving MOVEIt, another file-transfer software that contained a serious vulnerability, which the CLOP ransomware gang used to steal data from companies across the industry.
Security researcher Kevin Beaumont adds that new ransomware group called Termite appears to be exploiting the Cleo vulnerability for Windows-based computers. Termite also recently claimed responsibility for the ransomware attack against Blue Yonder, another IT supplier to over 3,000 companies and organizations.
In a statement, Cleo said it launched an investigation when the vulnerability was first discovered. It also "notified customers of this issue and provided mitigation steps customers should immediately take to address the vulnerability while a patch is under development."
"Our investigation is ongoing. Customers are encouraged to check Cleo’s security bulletin web page regularly for updates," the company added. "Cleo remains focused on supporting its customers and has extended enhanced 24/7 customer support services to those needing additional technical assistance in addressing this vulnerability.”
In a support post, the company indicated the attackers might be using another, possibly related vulnerability, to target customers. In the meantime, Huntress is recommending affected users consider deleting the “Autorun Directory” in the Cleo products to prevent the hackers from exploiting the attack. Meanwhile, cybersecurity vendor Rapid 7 also says it's investigating “multiple incidents” tied to the attacks.