Arctic Wolf Labs Observes Threat Campaign Targeting Cleo MFT Products – Remediation Guidance

Update: Dec 11, 2024. Find the latest information in our follow-up security bulletin. 

On December 7, 2024, Arctic Wolf began observing a novel campaign exploiting Cleo Managed File Transfer (MFT) products across several customer environments. Initial indications of malicious activity in this campaign were identified as early as October 19, with a sharp increase in early December. Arctic Wolf has Managed Detection and Response detections in place for this campaign and will continue to notify customers when new instances of this activity is observed. 

Initial Access

Preliminary evidence suggests that the remote code execution (RCE) vulnerability, CVE-2024-50623, in Cleo software may have been used to execute a malicious PowerShell script. While the exact method of initial access is not yet confirmed, this vulnerability is known to affect both Windows and Linux versions of Harmony, VLTrader, and LexiCom. 

Cleo recommends upgrading to patch CVE-2024-50623, a remote code execution (RCE) vulnerability that was patched in October. However, Arctic Wolf cannot confirm whether the observed threat activity was tied to this vulnerability or a separate one. Additionally, Arctic Wolf is aware of reports suggesting that even patched devices have been affected in the threat activity described here. 

To minimize risks associated with this campaign, Arctic Wolf strongly recommends applying the configuration hardening guidance from Cleo support as well as upgrading to the latest supported versions of the affected software. 

Attack Chain

In threat activity observed by Arctic Wolf Labs, a malicious PowerShell script connects to an external IP, downloads a secondary payload, and then executes it. The secondary payload then creates and runs a Java ARchive (JAR) file through the Cleo software. These processes are carried out using Cleo Autorun, a feature within Cleo’s MFT solutions, that automatically trigger predefined processes or scripts when certain files or events are encountered. 

After gaining initial access, threat actors were observed performing reconnaissance using net, nltest, and systeminfo commands on compromised systems to gather information which could potentially facilitate lateral movement within the network. 

Risk Assessment

MFT solutions are attractive targets for threat actors, particularly ransomware groups, due to the significant amount of data they can access if an instance is compromised. One of the most notable cyber incidents in 2023 involved the Cl0p ransomware group exploiting a MOVEit Transfer vulnerability (CVE-2023-34362), affecting over 2,000 organizations globally. Given the popularity of MFTs as targets, it is likely that threat actors will continue exploiting this type of vulnerability in the near future. 

Recommendations

Configuration Hardening for Autorun Feature in Cleo Products

Within Cleo products, the Autorun feature runs an import command from a randomly named file that contains the suspected bash or powershell command. Cleo recommends disabling this feature if it is not used for critical functions and otherwise recommends restricting it as described below. 

To Disable Autorun Altogether

• Navigate to the System Options in your respective Cleo product. 

• Blank out the Autorun directory to disable the Autorun feature. 

Hardening Autorun Configuration

• Use filesystem commands to make the Autorun directory: 

• Read-Only 

• No Write 

• No Execute 

Upgrade to Latest Fixed Version

Arctic Wolf strongly recommends that customers upgrade to the latest fixed version of the affected Cleo Product to address additional discovered potential attack vectors of the vulnerability. Please note that Arctic Wolf is aware of reports suggesting that the latest available patch does not address the exploitation described in this bulletin. Please see previous section for additional configuration hardening steps. 

Please follow your organization’s patching and testing guidelines to minimize potential operational impact. 

Remove Suspicious Files From Cleo Software Folders 

Cleo support recommends the following steps to remove malicious files from the threat activity described in this bulletin. 

• Using the Admin UI (LexiCom/VLTrader/Harmony): 

• • Search for bash or PowerShell commands in all hosts.xml files. 

• If any unknown host files are found, remove them along with their associated Hosts/Actions. 

• Remove the Following Files if Present: 

• • cleo.####.jar files (e.g., cleo.5264.jar, cleo.6597.jar, etc.) from the installation directory of Harmony, VLTrader, or LexiCom. 

• • autorun\healthchecktemplate.txt 

• • temp\Harmony235462786353.tmp 

• • hosts\main.xml or 60282967-dc91-40ef-a34c-38e992509c2c.xml 

These actions will help mitigate any risks related to unauthorized access or exploitation. 

References 

• Cleo Security Advisory (CVE-2024-50623)

• Cleo Autorun Notes