Clop Ransomware Gang Targets Cleo Vulnerability
Cleo Vulnerability Under Attack: Clop Ransomware Group Exploits New Flaw
The Clop ransomware group has once again made headlines by exploiting a critical vulnerability in Cleo’s managed file transfer platforms, including Harmony, VLTrader, and LexiCom. This recent wave of attacks follows Clop’s notorious involvement in the 2023 MOVEit Transfer supply chain incident, which impacted nearly 2,800 organizations. The vulnerability in question, tracked as CVE-2024-50623, was a zero-day flaw that Clop continued to exploit even after a patch was released in October. They have now shifted to a second vulnerability, CVE-2024-55956, indicating the ongoing threat posed by this cybercriminal group.
Understanding the New Vulnerabilities in Cleo Platforms
What is CVE-2024-55956?
CVE-2024-55956 is classified as an unauthenticated file write vulnerability. According to Rapid7 Principal Security Researcher Stephen Fewer, this vulnerability is distinct from the earlier CVE-2024-50623, which involved unauthenticated file read and write permissions. Fewer clarified that while both vulnerabilities exist in similar code areas of Cleo products, they require different strategies for exploitation.
- Key Points about the Vulnerabilities:
- CVE-2024-50623: Unauthenticated file read and write vulnerability.
- CVE-2024-55956: Unauthenticated file write vulnerability that can be exploited independently for Remote Code Execution (RCE).
Cleo addressed the newer flaw with an update released last week, urging users to upgrade to version 5.8.0.24 to mitigate risks.
Ongoing Exploitation Campaigns
Cybersecurity firm Huntress recently reported that Cleo servers in at least ten businesses were compromised during the ongoing exploitation campaign. Attackers have been deploying a previously unknown Java backdoor, dubbed “Malichus,” on these servers. Rapid7 has also shared insights regarding the Malichus backdoor and emphasized the importance of immediate updates and enhanced security measures.
Recommended Actions for Cleo Users:
- Upgrade to Cleo Version 5.8.0.24: Ensure your software is updated to the latest version.
- Limit Access: Remove Cleo products from public internet access.
- Disable Autorun Directory: This directory is a crucial part of the exploitation chain for CVE-2024-55956.
Clop’s Focus on Cleo Victims
While some cybersecurity experts have speculated a link between the Cleo attacks and the Termite ransomware group, Clop has openly claimed responsibility for this campaign. Their leak site now indicates a shift in focus solely to Cleo victims, suggesting a substantial number of targets.
Ferhat Dikbiyik, Chief Research and Intelligence Officer at Black Kite, emphasized the potential impact of the Cleo campaign, stating it mirrors the MOVEit attacks of 2023. He warned that thousands of companies could be affected, highlighting the need for organizations to remain vigilant and proactive in patching vulnerabilities.
Conclusion: Stay Informed and Secure
The Clop ransomware group’s continued exploitation of vulnerabilities in Cleo platforms underscores the critical importance of cybersecurity vigilance. Organizations relying on these managed file transfer systems must prioritize swift updates and security assessments to protect against potential data breaches.
For more information on cybersecurity best practices, check out our article on how to secure your file transfer systems or visit Cybersecurity and Infrastructure Security Agency (CISA) for the latest updates and advice.
What are your thoughts on the current state of cybersecurity? Share your insights in the comments below!