Cleo Vulnerability Exploitation Linked to Termite Ransomware Group – Source: www.securityweek.com

A recently emerged ransomware group named Termite may be behind the recent attacks exploiting a vulnerability in file transfer tools from enterprise software maker Cleo.

It came to light on Monday that an improperly patched vulnerability affecting Cleo’s Harmony, VLTrader, and LexiCom products, which the vendor attempted to fix in late October with the release of version 5.8.0.21, has been exploited in the wild since at least December 3.

The vulnerability, tracked as CVE-2024-50623, allows unrestricted file uploads/downloads and its exploitation can lead to remote code execution. 

Cybersecurity firm Huntress reported on Monday that the vulnerability was not properly fixed and it’s being exploited against organizations that use the Cleo products. Huntress had been aware of attacks against 1,700 servers and reported that at least 10 businesses had their servers compromised.

Rapid7 has also seen attacks, and Sophos reported observing exploitation attempts against over 50 hosts.

“All observed impacted customers have a branch or operate within the North Americas, primarily the US. We note the majority of observed affected customers are retail organizations,” Sophos said.

Huntress has seen victims in the consumer product, food, trucking, and shipping industries.

The cybersecurity firms have witnessed reconnaissance and other, unspecified post-exploitation activities, but the attackers’ ultimate goal may be the theft of sensitive information, given the targeted tools’ purpose.

The incident is reminiscent of the MOVEit hack campaign, which involved the Cl0p ransomware group exploiting a zero-day in Progress Software’s MOVEit file transfer software to steal vast amounts of information from thousands of organizations.     

Researcher Kevin Beaumont reported that the Termite ransomware group and possibly other threat actors are behind the Cleo attacks. 

Termite’s existence came to light recently after it targeted supply chain management software firm Blue Yonder in an attack that hit Starbucks and some major grocery chains. The cybercriminals claim to have obtained 680 Gb of data from Blue Yonder.

Huntress has noted that major companies such as Blue Yonder do have many public-facing Cleo servers, but has not definitively confirmed that the attacks are related. 

Half a dozen victims are named on the Termite leak website at the time of writing, in addition to Blue Yonder. The threat actor is known to deliver file-encrypting ransomware and also to steal data from victims.

A public advisory released by Cleo on Tuesday reveals that the company will address an “unauthenticated malicious hosts vulnerability that could lead to remote code execution” with the upcoming release of version 5.8.0.23. A new CVE identifier is pending.

In a private advisory available to registered users, the vendor, which claims to have over 4,000 customers, revealed that the vulnerability can allow unauthenticated attackers to import and execute arbitrary bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory. In the attacks observed in the wild, the attackers attempted to establish a reverse shell. 

Censys has reported seeing roughly 1,300 internet-exposed instances of the Harmony, VLTrader, and LexiCom products, nearly 80% in the United States. 

Related: Microsoft Patches Exploited Vulnerability in Partner Network Website

Related: CISA Warns of Zyxel Firewall Vulnerability Exploited in Attacks

Related: ‘SlashAndGrab’ ScreenConnect Vulnerability Widely Exploited for Malware Delivery