mastodon.world is one of the many independent Mastodon servers you can use to participate in the fediverse.
Generic Mastodon server for anyone to use.

Server stats:

13K
active users

Termite ransomware group operators (and maybe other groups) have a zero day exploit for Cleo LexiCom, VLTransfer, and Harmony. #ransomware #threatintel

i would fully pull the plug on impacted Cleo products until there's vendor clarity btw

Shodan dork (not exhaustive) - the Windows ones are a particular problem in terms of ransomware.

beta.shodan.io/search?query=ht

Rapid7 say "As of December 10, Rapid7 MDR has confirmed successful exploitation of this issue in customer environments; similar to Huntress, our team has observed enumeration and post-exploitation activity and is investigating multiple incidents." rapid7.com/blog/post/2024/12/1

Rapid7 · Widespread exploitation of Cleo file transfer software (CVE-2024-50623) | Rapid7 Blog

After my toot Cleo have issued a public advisory, they're saying versions up to 5.8.0.23 (not out yet) are impacted.

In terms of threat intel, the ransomware operators I know of only have an exploit for the Windows versions, not Linux.

support.cleo.com/hc/en-us/arti

Sophos says they have seen 50+ systems with Cleo enterprise file transfer product zero day exploitation. Huntress say 28+ customers so far. Rapid7 haven’t given numbers.

infosec.exchange/@SophosXOps/1

A writeup on the Cleo vulnerabilities, which are under mass exploitation now. Write any file into any folder by using path=..\..\..\ - since it's a webapp, just drop a webshell.

labs.watchtowr.com/cleo-cve-20

I think the Cleo thing shows the industry and community working very well, btw.

From zero day in an MFT product to approx 2/3rd of servers now offline or patched in days. As far as I know, since mass exploitation began (important caveat) none of the victims had follow on activity, ie ransomware.

That’s a really good outcome. The reason, I think, is openness and transparency - Huntress went public early and everybody leaped on it loudly in the community. Be more open.

Had the threat actor gone more slowly and hit orgs prone to cover ups (ie large enterprises) that would have been a very different outcome.

The smaller Managed Detection and Response vendors have the window to do something very funny and talk about things rather than doing a CrowdStrike, MS etc and doing a cover up - it breaks the race to the bottom, and is one area where the market is getting healthier.

For what it’s worth, I’ve found some novel ways of tracking ransomware operators. I don’t want to reveal how as I don’t want to blow the access.

Also, good on cl0p for narrowing the extortion criteria.

Cl0p ransomware group plan to start dropping data obtained from Cleo MFT zero day tomorrow for about 50 orgs, list here: infosec.exchange/@cR0w/1138791

Infosec ExchangecR0w :cascadia: (@cR0w@infosec.exchange)In case anyone else missed the list like I did, here you go: >BLUEYONDER.COM - WILL BE PUBLISHED 24.01 FRIDAY PISPL.IN - WILL BE PUBLISHED 24.01 FRIDAY LINFOX.COM - WILL BE PUBLISHED 24.01 FRIDAY ESPRIGAS.COM - WILL BE PUBLISHED 24.01 FRIDAY EKOMERCIO.COM FULL FILES PUBLISHED VIA TOR WESTERNALLIANCEBANK.COM - WILL BE PUBLISHED 24.01 FRIDAY CLEO.COM - WILL BE PUBLISHED 24.01 FRIDAY JOMARSOFTCORP.COM FULL FILES PUBLISHED VIA TOR CLAWLOGISTICS.COM - WILL BE PUBLISHED 24.01 FRIDAY CPS.EDU - WILL BE PUBLISHED 24.01 FRIDAY TERRA.COM - WILL BE PUBLISHED 24.01 FRIDAY SDITECHNOLOGIES.COM - WILL BE PUBLISHED 24.01 FRIDAY HEARSTPOWER.COM - WILL BE PUBLISHED 24.01 FRIDAY VELSOL.COM FULL FILES PUBLISHED VIA TOR STEELBLUE.COM.AU - WILL BE PUBLISHED 24.01 FRIDAY COVESTRO.COM - WILL BE PUBLISHED 24.01 FRIDAY NISSINFOODS.COM - WILL BE PUBLISHED 24.01 FRIDAY ENCOMPASSTECH.COM - WILL BE PUBLISHED 24.01 FRIDAY ICERIVERGREENBOTTLECO.COM - WILL BE PUBLISHED 24.01 FRIDAY BREAKTHROUGHFUEL.COM - WILL BE PUBLISHED 24.01 FRIDAY PREMIERSUPPLIES.COM - WILL BE PUBLISHED 24.01 FRIDAY NOWINC.CA - WILL BE PUBLISHED 24.01 FRIDAY CONSULTANTS.COM - WILL BE PUBLISHED 24.01 FRIDAY SWEETSTREET.COM - WILL BE PUBLISHED 24.01 FRIDAY WSINC.COM FULL FILES PUBLISHED VIA TOR OFSPORTAL.COM - WILL BE PUBLISHED 24.01 FRIDAY SHEERLOGISTICS.COM - WILL BE PUBLISHED 24.01 FRIDAY INNOTEKEP.COM - WILL BE PUBLISHED 24.01 FRIDAY KEEACTIONSPORTS.COM - WILL BE PUBLISHED 24.01 FRIDAY ALPINEFOODS.COM - WILL BE PUBLISHED 24.01 FRIDAY C3GROUP.NL - WILL BE PUBLISHED 24.01 FRIDAY JAKKS.COM - WILL BE PUBLISHED 24.01 FRIDAY CREELED.COM - WILL BE PUBLISHED 24.01 FRIDAY HERTZ.COM - WILL BE PUBLISHED 24.01 FRIDAY HILLBROS.COM - WILL BE PUBLISHED 24.01 FRIDAY COYOTE.COM - WILL BE PUBLISHED 24.01 FRIDAY NORTHERNONTARIOWIRES.COM - WILL BE PUBLISHED 24.01 FRIDAY BMIUSA.COM - WILL BE PUBLISHED 24.01 FRIDAY BUSINESSSYSINTEG.COM - WILL BE PUBLISHED 24.01 FRIDAY RUIA.COM - WILL BE PUBLISHED 24.01 FRIDAY MERCURYGATE.COM FULL FILES PUBLISHED VIA TOR EMKAY.COM - WILL BE PUBLISHED 24.01 FRIDAY ARROW.COM - WILL BE PUBLISHED 24.01 FRIDAY SPGUSA.COM - WILL BE PUBLISHED 24.01 FRIDAY MADENGINE.COM - WILL BE PUBLISHED 24.01 FRIDAY BRADLEYCALDWELL.COM - WILL BE PUBLISHED 24.01 FRIDAY SULLYTRANSPORT.COM - WILL BE PUBLISHED 24.01 FRIDAY SPADERFREIGHT.COM - WILL BE PUBLISHED 24.01 FRIDAY ARTIKA.COM - WILL BE PUBLISHED 24.01 FRIDAY BURRISLOGISTICS.COM - WILL BE PUBLISHED 24.01 FRIDAY WHITMOR.COM - WILL BE PUBLISHED 24.01 FRIDAY SEATTLECHOCOLATES.COM - WILL BE PUBLISHED 24.01 FRIDAY UTILISMARTCORP.COM - WILL BE PUBLISHED 24.01 FRIDAY CDRSOFTWARE.COM - WILL BE PUBLISHED 24.01 FRIDAY CALEXISCS.COM - WILL BE PUBLISHED 24.01 FRIDAY POLARISTRANSPORT.COM - WILL BE PUBLISHED 24.01 FRIDAY AMPOL.COM.AU - WILL BE PUBLISHED 24.01 FRIDAY USLUGGAGE.COM - WILL BE PUBLISHED 24.01 FRIDAY OLAMETER.COM - WILL BE PUBLISHED 24.01 FRIDAY
David

@GossiTheDog is this different to the last BlueYonder cyber incident thing from November last year?