Termite Ransomware Group Suspected Behind Zero-Day Exploits in Cleo Software

December 10, 2024

The ransomware group known as 'Termite' is believed to be responsible for a string of attacks exploiting a zero-day vulnerability in Cleo's LexiCom, VLTransfer, and Harmony file transfer software. The group recently claimed credit for a similar attack on supply chain vendor Blue Yonder, affecting several organizations, including Starbucks.

Cleo is in the process of developing a patch for the flaw, but no fix is currently available. This makes the vulnerability a zero-day that is actively being exploited. The attacks are reported to have started on December 3, and have affected at least 10 victims across multiple industries, including consumer products, trucking and shipping, and the food industry. This information comes from researchers at Huntress Labs who are monitoring the situation.

A search for vulnerable, internet-exposed Cleo systems suggests that the actual number of victims may be higher, according to the security vendor. Rapid7 has also reported receiving information about compromises and post-exploit activity related to the Cleo vulnerability from multiple customers. The company has urged affected organizations to take 'emergency action' to mitigate the risk associated with the threat.

Cleo software is used by more than 4,200 customers from various industries such as logistics and transportation, manufacturing, and wholesale distribution. Some recognizable clients include Brother, New Balance, Duraflame, TaylorMade, Barilla America, and Mohawk Global.

The vulnerability that Termite is exploiting has been identified as CVE-2024-50623, an unauthenticated remote code execution (RCE) flaw in versions of Cleo Harmony, VLTrader, and LexiCom prior to 5.8.0.21. Cleo disclosed the vulnerability in October and advised customers to immediately upgrade affected products to the fixed version 5.8.0.21. However, the patch seems to have been insufficient, as all previously affected versions of Cleo software, including the patched 5.8.0.21, remain vulnerable to the same CVE, according to Huntress.

Cleo has acknowledged the issue and plans to issue a new CVE, or identifier, for the bug. The company has notified customers about the threat and advised them on how to mitigate exposure until its patch becomes available.

Analysis of the threat actor's post-exploit activity by Huntress showed the attacker deploying Web shell-like functionality for establishing persistence on compromised endpoints. The threat actor was also observed enumerating potential Active Directory assets with nltest.exe and other domain reconnaissance tools.

Jamie Levy, Huntress director of adversary tactics, stated that available evidence points to Termite as the likely perpetrator of the ongoing attacks. Blue Yonder, like the current victims, had an instance of Cleo's software open to the Internet. Termite claimed Blue Yonder as one of its victims and seemed to confirm it by publicly listing files belonging to the company.

Max Rogers, senior director of security operations at Huntress, described the new Cleo zero-day as something that provides easy access to Cleo systems for attackers with the exploit code. He recommended that organizations disable the autorun feature in Cleo software to limit the attack surface while waiting for an updated patch.

Latest News

• High-Severity Bug in WPForms Plugin Exposes Millions of WordPress Sites to Stripe Refunds
• Microsoft NTLM Zero-Day Vulnerability Unresolved Until April
• Earth Minotaur Threat Group Targets Uyghurs and Tibetans with MOONSHINE Exploit and DarkNimbus Backdoor
• Mitel MiCollab Collaboration Platform Faces Unresolved Zero-Day Vulnerability
• Japan's CERT Issues Warning on Zero-Day Vulnerabilities in IO-Data Routers