Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cleo Server. Show all posts
Personal Data
Bank CyberSecurity Bank Data Leak Cleo Server CLOP Customer Data Data Breach Data Leak Data Theft Identity Theft Personal Data

Western Alliance Bank Data Breach Exposes Nearly 22,000 Customers’ Personal Information

 

Western Alliance Bank has alerted nearly 22,000 customers that their personal information was compromised following a cyberattack in October. The breach stemmed from a vulnerability in a third-party vendor’s secure file transfer software, which allowed attackers to gain unauthorized access to the bank’s systems and extract sensitive customer data. 

Western Alliance, a subsidiary of Western Alliance Bancorporation with over $80 billion in assets, first disclosed the incident in a February SEC filing. The bank revealed that hackers exploited a zero-day vulnerability in the software, which was officially disclosed on October 27, 2024. However, unauthorized access to the bank’s systems had already occurred between October 12 and October 24. The breach was only confirmed after the attackers leaked stolen files online. 

According to breach notification letters sent to 21,899 affected customers and filed with the Office of Maine’s Attorney General, the stolen data includes names, Social Security numbers, birth dates, financial account details, driver’s license numbers, tax identification numbers, and passport information if previously provided to the bank. Despite the exposure, Western Alliance stated there is no evidence of fraud or identity theft resulting from the breach. 

To support affected customers, the bank is offering one year of free identity protection services through Experian IdentityWorks Credit 3B. Although Western Alliance did not disclose the name of the compromised software in its SEC filing or customer notifications, the Clop ransomware gang has claimed responsibility for the attack. In January, Clop listed the bank among 58 companies targeted in a campaign that exploited a critical zero-day vulnerability (CVE-2024-50623) in Cleo LexiCom, VLTransfer, and Harmony software. 

The ransomware group had previously leveraged similar security flaws in MOVEit Transfer, GoAnywhere MFT, and Accellion FTA to conduct large-scale data theft operations. Further investigations revealed that Clop exploited an additional zero-day vulnerability (CVE-2024-55956) in Cleo software in December. This allowed them to deploy a Java-based backdoor, dubbed “Malichus,” enabling deeper infiltration into victims’ networks. Cleo, which serves over 4,000 organizations worldwide, confirmed the vulnerability had been used to install malicious backdoor code in affected instances of its Harmony, VLTrader, and LexiCom software. 

The full extent of the breach remains unclear, but it highlights the growing risks posed by vulnerabilities in third-party software. Organizations relying on such solutions must remain vigilant, promptly apply security patches, and implement robust defenses to prevent similar incidents.
Read more »
MFT
Cleo Server Cyber Attacks File Share Servers Firewalls MFT

File-Sharing Tools Under Attack: What Users Need to Know

 


A serious flaw has been found in three widely used file-sharing tools, putting several organizations at risk of security breaches. The three tools affected, LexiCom, VLTransfer, and Harmony, are all developed by Cleo, a company focused on managed file transfer (MFT) solutions. Experts have warned that the flaw could be exploited and urged users to take preventive measures immediately.


The Vulnerability and Its Impact

This vulnerability, identified as CVE-2024-50623, has been known to allow unrestricted file uploads and downloads. This might allow hackers to execute malicious code remotely. Huntress, a cybersecurity firm, reported that the flaw has already been exploited, with at least 24 businesses confirmed as compromised. Companies in sectors like logistics, consumer products, and food supply are included in the list.

Although Cleo has issued a patch in October 2024, Huntress believes that the update is not enough to protect the users, hence exposing the systems to attackers. According to Shodan, a search engine that monitors internet-connected devices, there are hundreds of vulnerable servers running Cleo's tools, mostly located in the United States.


What Is Happening After Exploitation?

Once the vulnerability has been exploited, attackers are engaging in activities that might reflect data theft or other malicious activities. According to Huntress, the motives of the hackers are unknown and no data breaches have so far been confirmed. But from the available evidence, files may have been accessed or stolen with huge risks to the organizations affected.


Cleo's Response and Recommended Actions

Cleo has acknowledged the vulnerability and is currently working on an improved fix. In the meantime, the company advises users to secure their systems by placing file-sharing tools behind a firewall. This added layer of protection can help minimize exposure to attackers until a robust patch is released.


A Broader Issue in File-Sharing Security

This is not the first time MFT tools have been attacked with security issues. In 2023, a Russian ransomware group exploited a similar vulnerability in MOVEit, another MFT solution, to steal sensitive data from numerous organizations worldwide. These incidents highlight the growing risks associated with such tools, emphasizing the need for stronger security measures.

Users of file-sharing tools need to be watchful and prioritize cybersecurity. Regular application of updates, use of firewalls, and monitoring for unusual activity can help minimize the exploitation risk. Since file-sharing is an integral part of modern business operations, it is essential that these tools are secure in order to protect sensitive information.




Read more »
Vulnerabilities and Exploits
Cleo Server Data Leak File Transfer Tool Security Patch Vulnerabilities and Exploits

Active Exploitation of Cleo Communications' File Transfer Software Exposes Critical Vulnerabilities

 

Cleo Communications' file transfer software is under active attack, with security researchers from Huntress revealing that a recently issued patch fails to address the critical flaws being exploited. This ongoing vulnerability poses a significant threat to sectors relying on Cleo's software for logistics and supply chain operations.

The Vulnerabilities: Autorun Directory and CVE-2024-50623

Hackers are leveraging two key vulnerabilities in Cleo's software:

  • A feature that automatically executes files in the autorun directory.
  • An arbitrary file-write flaw identified as CVE-2024-50623.

On December 3, Huntress reported that Cleo's LexiCom, VLTransfer, and Harmony software solutions are affected by these issues. Despite the company issuing a patch on the same day, Huntress stated that it "does not mitigate the software flaw." This leaves users vulnerable until a new, effective patch is developed.

Cleo’s Response and Planned Mitigations

During a Zoom session with cybersecurity researchers, Cleo's team acknowledged the flaws and committed to designing a second patch. Earlier in the week, Cleo identified an unauthenticated malicious host vulnerability that could lead to remote code execution, although its CVE identifier is still pending.

In a statement, a Cleo spokesperson said the company had launched an investigation with the assistance of external cybersecurity experts. Cleo also informed customers about the issue and provided interim mitigation steps while working on a patch. The spokesperson emphasized that "the investigation is ongoing."

Recommendations for Cleo Users

Until an effective patch is released, Huntress has advised Cleo users to take immediate actions:

  • Erase items from the autorun directory to disrupt attack pathways.
  • Understand that this measure does not address the arbitrary file-write vulnerability, which remains exploitable.

Impacts on Businesses

The exploitation of Cleo's software has significant repercussions, particularly for industries dependent on large-scale logistics and supply chain operations. Researchers reported that:

  • At least 10 businesses have experienced breaches involving Cleo servers.
  • There was a "notable uptick in exploitation" on December 8 around 07:00 UTC.
  • Most incidents have targeted sectors such as consumer products, the food industry, and shipping.

A search on Shodan revealed 436 vulnerable servers, with the majority located in the United States. This underscores the scale of potential exposure and the urgent need for mitigation.

The Attack Chain: From Autorun to Persistent Access

Attackers exploit the autorun directory feature by inserting malicious files that execute automatically. These files allow them to:

  • Run PowerShell commands.
  • Establish persistent access using webshells retrieved from remote servers.

Examples of malicious autorun files include:

  • healthchecktemplate.txt
  • healthcheck.txt

Conclusion: Urgent Need for Robust Security Measures

The active exploitation of Cleo Communications' software highlights the evolving nature of cybersecurity threats and the critical importance of timely, effective patching. Businesses using Cleo's solutions must remain vigilant and implement recommended mitigations to minimize risk until a comprehensive fix is released.

This incident serves as a reminder for all organizations to prioritize cybersecurity, particularly in industries that handle sensitive data and depend on seamless file transfer operations.

Read more »
Subscribe to: Posts (Atom)