Termite ransomware group operators (and maybe other groups) have a zero day exploit for Cleo LexiCom, VLTransfer, and Harmony. #ransomware #threatintel
This is a build upon Huntress' (excellent) blog https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
i would fully pull the plug on impacted Cleo products until there's vendor clarity btw
Shodan dork (not exhaustive) - the Windows ones are a particular problem in terms of ransomware.
https://beta.shodan.io/search?query=http.html_hash%3A1534766930
Cleo have issued a (paywalled) advisory about the zero day, saying a new CVE number is being allocated.
Rapid7 say "As of December 10, Rapid7 MDR has confirmed successful exploitation of this issue in customer environments; similar to Huntress, our team has observed enumeration and post-exploitation activity and is investigating multiple incidents." https://www.rapid7.com/blog/post/2024/12/10/etr-widespread-exploitation-of-cleo-file-transfer-software-cve-2024-50623/
After my toot Cleo have issued a public advisory, they're saying versions up to 5.8.0.23 (not out yet) are impacted.
In terms of threat intel, the ransomware operators I know of only have an exploit for the Windows versions, not Linux.
https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Advisory-CVE-Peding
"In an emailed statement given to TechCrunch, Jorge Rodriguez, SVP of product Development at Cleo, said that a patch for the critical vulnerability is “under development.”
Sophos says they have seen 50+ systems with Cleo enterprise file transfer product zero day exploitation. Huntress say 28+ customers so far. Rapid7 haven’t given numbers.
A writeup on the Cleo vulnerabilities, which are under mass exploitation now. Write any file into any folder by using path=..\..\..\ - since it's a webapp, just drop a webshell.
Another write up on the Cleo zero day: https://arcticwolf.com/resources/blog/cleopatras-shadow-a-mass-exploitation-campaign/
I think the Cleo thing shows the industry and community working very well, btw.
From zero day in an MFT product to approx 2/3rd of servers now offline or patched in days. As far as I know, since mass exploitation began (important caveat) none of the victims had follow on activity, ie ransomware.
That’s a really good outcome. The reason, I think, is openness and transparency - Huntress went public early and everybody leaped on it loudly in the community. Be more open.
Had the threat actor gone more slowly and hit orgs prone to cover ups (ie large enterprises) that would have been a very different outcome.
The smaller Managed Detection and Response vendors have the window to do something very funny and talk about things rather than doing a CrowdStrike, MS etc and doing a cover up - it breaks the race to the bottom, and is one area where the market is getting healthier.
CISA have added the new CVE for the Cleo zero day to KEV.
Top stuff from Bleeping Computer here in terms of investigation.
So it looks like some ransomware operators are wearing multiple group hats.
For what it’s worth, I’ve found some novel ways of tracking ransomware operators. I don’t want to reveal how as I don’t want to blow the access.
Also, good on cl0p for narrowing the extortion criteria.
Cl0p ransomware group plan to start dropping data obtained from Cleo MFT zero day tomorrow for about 50 orgs, list here: https://infosec.exchange/@cR0w/113879140146742766
@GossiTheDog is this different to the last BlueYonder cyber incident thing from November last year?