Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Cleo Vulnerability Exploitation Linked to Termite Ransomware Group

Exploitation of a vulnerability affecting Cleo file transfer tools has been linked to the new Termite ransomware group.

Cleo vulnerability exploited

A recently emerged ransomware group named Termite may be behind the recent attacks exploiting a vulnerability in file transfer tools from enterprise software maker Cleo.

It came to light on Monday that an improperly patched vulnerability affecting Cleo’s Harmony, VLTrader, and LexiCom products, which the vendor attempted to fix in late October with the release of version 5.8.0.21, has been exploited in the wild since at least December 3.

The vulnerability, tracked as CVE-2024-50623, allows unrestricted file uploads/downloads and its exploitation can lead to remote code execution. 

Cybersecurity firm Huntress reported on Monday that the vulnerability was not properly fixed and it’s being exploited against organizations that use the Cleo products. Huntress had been aware of attacks against 1,700 servers and reported that at least 10 businesses had their servers compromised.

Rapid7 has also seen attacks, and Sophos reported observing exploitation attempts against over 50 hosts.

“All observed impacted customers have a branch or operate within the North Americas, primarily the US. We note the majority of observed affected customers are retail organizations,” Sophos said.

Huntress has seen victims in the consumer product, food, trucking, and shipping industries.

The cybersecurity firms have witnessed reconnaissance and other, unspecified post-exploitation activities, but the attackers’ ultimate goal may be the theft of sensitive information, given the targeted tools’ purpose.

Advertisement. Scroll to continue reading.

The incident is reminiscent of the MOVEit hack campaign, which involved the Cl0p ransomware group exploiting a zero-day in Progress Software’s MOVEit file transfer software to steal vast amounts of information from thousands of organizations.     

Researcher Kevin Beaumont reported that the Termite ransomware group and possibly other threat actors are behind the Cleo attacks. 

Termite’s existence came to light recently after it targeted supply chain management software firm Blue Yonder in an attack that hit Starbucks and some major grocery chains. The cybercriminals claim to have obtained 680 Gb of data from Blue Yonder.

Huntress has noted that major companies such as Blue Yonder do have many public-facing Cleo servers, but has not definitively confirmed that the attacks are related. 

Half a dozen victims are named on the Termite leak website at the time of writing, in addition to Blue Yonder. The threat actor is known to deliver file-encrypting ransomware and also to steal data from victims.

A public advisory released by Cleo on Tuesday reveals that the company will address an “unauthenticated malicious hosts vulnerability that could lead to remote code execution” with the upcoming release of version 5.8.0.23. A new CVE identifier is pending.

In a private advisory available to registered users, the vendor, which claims to have over 4,000 customers, revealed that the vulnerability can allow unauthenticated attackers to import and execute arbitrary bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory. In the attacks observed in the wild, the attackers attempted to establish a reverse shell. 

Censys has reported seeing roughly 1,300 internet-exposed instances of the Harmony, VLTrader, and LexiCom products, nearly 80% in the United States. 

Related: Microsoft Patches Exploited Vulnerability in Partner Network Website

Related: CISA Warns of Zyxel Firewall Vulnerability Exploited in Attacks

Related: ‘SlashAndGrab’ ScreenConnect Vulnerability Widely Exploited for Malware Delivery

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

MorganFranklin Cyber has appointed Keith Hollender as CEO and member of the Board of Directors.

Lisa Banks has been named Chief Financial Officer at Abnormal Security.

Threat detection and response company Trellix has appointed Vishal Rao as its new CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.