Cleo MFT Zero-Day Exploits Set to Surge: Cleopatra Backdoor and Ransomware Campaigns in Focus

December 13, 2024

The Cleo managed file transfer tool is currently under threat from an active ransomware campaign, which is expected to intensify following the public availability of a proof-of-concept exploit for a zero-day flaw in the software. The flaw, which stems from an insufficient patch for an arbitrary file write tracked as CVE-2024-50623, enables remote code execution and impacts Cleo Harmony, Cleo VLTrader, and Cleo LexiCon products, as detailed in the company's security advisory. The new issue does not yet have a CVE or CVSS severity score.

The zero-day attacks began on Dec. 3, and within days, at least 10 Cleo clients, including those in the trucking, shipping, and food industries, had been breached. Cleo has more than 4,000 customers, primarily mid-sized organizations. The ongoing ransomware campaign has been attributed to a group known as 'Termite,' which is believed to have previously targeted Blue Yonder, impacting major brands like Starbucks. Analysts from Artic Wolf predict a surge in ransomware attacks against vulnerable Cleo systems.

The broad access to sensitive enterprise data and systems provided by MFT solutions like Cleo makes them attractive targets for threat actors. This is particularly true following the public proof of exploit of the Cleo zero-day, published on Dec. 11 by Watchtowr Labs. Patching this zero-day has been challenging, leaving room for attackers.

The original bug, CVE-2024-50623, was supposedly fixed in the Oct. 30 release of an updated Cleo version, 5.8.0.21. However, customers reported continued compromises, indicating a separate means of compromise. Cleo released a new version with a security patch (version 5.8.0.24), but the new exploitable issue has not yet received a new CVE designation.

Cleo issued a new advisory on Dec. 10 indicating that a patch is now available for all affected products, but there is still no CVE for the new issue. The company has stated that a 'CVE is pending.'

The Artic Wolf team tracked the attack chain down to a malicious PowerShell stager that ultimately executes a new Java-based backdoor, dubbed 'Cleopatra.' The Cleopatra backdoor supports in-memory file storage and is designed for cross-platform support across Windows and Linux. It is specifically designed to access data stored within Cleo MFT software.

Arctic Wolf researchers recommend that defenders monitor server assets for unusual activity, such as PowerShell, to respond early in the attack chain. They also suggest continuously auditing devices for potential weaknesses in internet-accessible services and keeping vulnerable services off the public Internet to minimize potential exposure in mass exploitation campaigns.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.