<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=1354242&amp;fmt=gif">

Cleo File Transfer Alert | December 2024

Corvus Threat Intel & Risk Advisory December 16, 2024

Cleo File Transfer Alert Overview

 

Update: 12/12/2024:

Today, Cleo released patches to block ongoing attacks and strongly urged customers to upgrade instances of Harmony, VLTrader, and LexiCom to version 5.8.0.24 as soon as possible. The upgrade addresses discovered potential attack vectors and secures Internet-exposed servers vulnerable to breach attempts.

Furthermore, Cleo also advises those who cannot immediately upgrade to disable the Autorun feature by going into the System Options and clearing out the Autorun directory (this will not block incoming attacks but will reduce the attack surface).

Background Information

A critical vulnerability (CVE-2024-50623) in Cleo's file transfer software products is being actively exploited by threat actors, even on systems with the latest patches. The vulnerability affects Cleo Harmony, VLTrader, and LexiCom products up to version 5.8.0.24, allowing unauthenticated remote code execution through unrestricted file upload and download capabilities. Despite Cleo releasing a patch in October 2024, security researchers at Huntress have confirmed that the patch does not fully mitigate the vulnerability.

Impact of the Vulnerability

At least 10 businesses have been confirmed compromised, with exploitation evidence dating back to December 3, 2024.

Attackers are using the vulnerability to:

  • Deploy malicious payloads
  • Execute PowerShell commands
  • Perform Active Directory reconnaissance
  • Establish persistence through webshell-like functionality

Next Steps for Cleo Customers:

  1. Immediately upgrade to version 5.8.0.24.
  2. If unable to update, consider moving any internet-exposed Cleo systems behind a firewall or temporarily disabling Cleo systems until a patch can be applied. 
  3. Detection & Investigation:
    • Check for compromise indicators in the host's subdirectory
    • Look for main.xml or 60282967-dc91-40ef-a34c-38e992509c2c.xml files
    • Review for embedded PowerShell-encoded commands
    • Block known malicious IP addresses associated with the attacks.

Recommended Blogs

Ransomware Update: April 2023 Takes Spot for Third Highest Month
Another Record-Breaking Month for Ransomware: November Up 110% YoY
Rising Tide of Ransomware Attacks: Current and Future Trends
March 2023 Sees 60% Increase in Ransomware Attacks
November 2024: A Record-Breaking Month for Ransomware Attacks

Recent Articles

Cleo File Transfer Alert | December 2024


Cleo customers could be at risk due to a critical security flaw. Here's what you need to know.

November 2024: A Record-Breaking Month for Ransomware Attacks


In November 2024, ransomware activity reached an all-time high, with 632 reported victims listed to leak sites. Learn more in this ransomware update.

Q3 Cyber Threat Report: The Ransomware Ecosystem is Increasingly Distributed


Ransomware attacks remained high in Q3 2024 thanks to the RansomHub, PLAY, and LockBit 3.0 ransomware gangs. Check out the full cyber report for more info.