Ransomware group “Termite” — which not too long ago claimed provide chain vendor Blue Yonder as a sufferer — could also be behind widespread exploit exercise concentrating on a beforehand mounted vulnerability in Cleo’s LexiCom, VLTransfer, and Concord file switch software program.
Cleo is presently creating a brand new patch for the flaw however nothing is presently obtainable for the problem, which suggests the vulnerability is a zero-day underneath lively assault.
Widespread Assaults
The assaults seem to have begun on Dec. 3 and have claimed a minimum of 10 victims throughout a number of sectors, together with shopper merchandise, trucking and delivery, and the meals trade, in keeping with researchers at Huntress Labs who’re monitoring the exercise. A seek for weak, Web-exposed Cleo methods means that the precise variety of victims could also be increased, the safety vendor mentioned.
Rapid7 additionally mentioned it had obtained reviews of compromise and post-exploit exercise involving the Cleo vulnerability from a number of prospects. “File switch software program continues to be a goal for adversaries, and for financially motivated risk actors specifically,” Rapid7 wrote in a weblog put up on Dec. 10. The corporate really helpful affected organizations take “emergency motion” to mitigate threat associated to the risk.
Greater than 4,200 prospects from a number of industries similar to logistics and transportation, manufacturing, and wholesale distribution use Cleo software program for a wide range of use circumstances. Some recognizable names embody Brother, New Steadiness, Duraflame, TaylorMade, Barilla America, and Mohawk International.
Huntress recognized the vulnerability that Termite is concentrating on as CVE-2024-50623, an unauthenticated distant code execution (RCE) flaw in variations of Cleo Concord, VLTrader, and LexiCom prior to five.8.0.21. Cleo disclosed the vulnerability in October and urged prospects to instantly improve affected merchandise to the mounted model 5.8.0.21.
Nevertheless, the patch seems to have been inadequate, as a result of all beforehand affected variations of Cleo software program, together with the patched 5.8.0.21, stay weak to the identical CVE, Huntress mentioned. “This vulnerability is being actively exploited within the wild and absolutely patched methods operating 5.8.0.21 are nonetheless exploitable,” Huntress researcher John Hammond wrote. “We strongly suggest you progress any Web-exposed Cleo methods behind a firewall till a brand new patch is launched.”
Engaged on a Patch
Cleo has acknowledged the problem and mentioned it plans to challenge a brand new CVE, or identifier, for the bug. In an emailed assertion, an organization spokesperson described the flaw as a crucial challenge. The assertion famous that Cleo has notified prospects concerning the risk and suggested them on find out how to mitigate publicity until its patch turns into obtainable. “Our investigation is ongoing,” the assertion mentioned. “Clients are inspired to examine Cleo’s safety bulletin webpage repeatedly for updates.”
Hammond mentioned Huntress’s evaluation of the risk actor’s post-exploit exercise confirmed the attacker deploying Net shell-like performance for establishing persistence on compromised endpoints. Huntress additionally noticed the risk actor enumerating potential Energetic Listing belongings with nltest.exe and different area reconnaissance instruments.
In feedback to Darkish Studying, Huntress director of adversary techniques Jamie Levy says that obtainable proof factors to Termite because the doubtless perpetrator. Just like the victims of the continuing assaults, Blue Yonder had an occasion of Cleo’s software program open to the Web, she says. Termite claimed Blue Yonder as considered one of its victims and appeared to substantiate it by publicly itemizing information belonging to the corporate, Levy notes.
The New Cl0p?
“There have been some rumblings that Termite is likely to be the brand new Cl0p,” Levy says, and information has emerged that seems to substantiate these claims. Additionally, Cl0p’s actions have waned whereas Termite’s actions have elevated. Each are working in comparable fashions. “We’re probably not within the attribution sport, but it surely would not be stunning in any respect if we’re seeing a shift in these ransomware gangs for the time being,” Levy says.
Max Rogers, senior director of safety operations at Huntress, described the brand new Cleo zero-day as one thing that permits quick access to Cleo methods for attackers with the exploit code. “The best fast motion is to make sure that affected methods will not be accessible from the Web, which considerably reduces the danger of exploitation.”
Rogers moreover recommends that organizations disable the autorun characteristic in Cleo software program to restrict the assault floor whereas ready for an up to date patch. “Nevertheless, presently,” he says, “the one assured technique to shield methods is to make them inaccessible over the Web till a brand new patch is out.”
