Cleo Communications' file transfer software is under active attack, with security researchers from Huntress revealing that a recently issued patch fails to address the critical flaws being exploited. This ongoing vulnerability poses a significant threat to sectors relying on Cleo's software for logistics and supply chain operations.
The Vulnerabilities: Autorun Directory and CVE-2024-50623
Hackers are leveraging two key vulnerabilities in Cleo's software:
- A feature that automatically executes files in the autorun directory.
- An arbitrary file-write flaw identified as CVE-2024-50623.
On December 3, Huntress reported that Cleo's LexiCom, VLTransfer, and Harmony software solutions are affected by these issues. Despite the company issuing a patch on the same day, Huntress stated that it "does not mitigate the software flaw." This leaves users vulnerable until a new, effective patch is developed.
Cleo’s Response and Planned Mitigations
During a Zoom session with cybersecurity researchers, Cleo's team acknowledged the flaws and committed to designing a second patch. Earlier in the week, Cleo identified an unauthenticated malicious host vulnerability that could lead to remote code execution, although its CVE identifier is still pending.
In a statement, a Cleo spokesperson said the company had launched an investigation with the assistance of external cybersecurity experts. Cleo also informed customers about the issue and provided interim mitigation steps while working on a patch. The spokesperson emphasized that "the investigation is ongoing."
Recommendations for Cleo Users
Until an effective patch is released, Huntress has advised Cleo users to take immediate actions:
- Erase items from the autorun directory to disrupt attack pathways.
- Understand that this measure does not address the arbitrary file-write vulnerability, which remains exploitable.
Impacts on Businesses
The exploitation of Cleo's software has significant repercussions, particularly for industries dependent on large-scale logistics and supply chain operations. Researchers reported that:
- At least 10 businesses have experienced breaches involving Cleo servers.
- There was a "notable uptick in exploitation" on December 8 around 07:00 UTC.
- Most incidents have targeted sectors such as consumer products, the food industry, and shipping.
A search on Shodan revealed 436 vulnerable servers, with the majority located in the United States. This underscores the scale of potential exposure and the urgent need for mitigation.
The Attack Chain: From Autorun to Persistent Access
Attackers exploit the autorun directory feature by inserting malicious files that execute automatically. These files allow them to:
- Run PowerShell commands.
- Establish persistent access using webshells retrieved from remote servers.
Examples of malicious autorun files include:
- healthchecktemplate.txt
- healthcheck.txt
Conclusion: Urgent Need for Robust Security Measures
The active exploitation of Cleo Communications' software highlights the evolving nature of cybersecurity threats and the critical importance of timely, effective patching. Businesses using Cleo's solutions must remain vigilant and implement recommended mitigations to minimize risk until a comprehensive fix is released.
This incident serves as a reminder for all organizations to prioritize cybersecurity, particularly in industries that handle sensitive data and depend on seamless file transfer operations.
