Follow-up: Threat Campaign Targeting Cleo MFT Products

On December 7, 2024, Arctic Wolf began observing a novel campaign exploiting Cleo Managed File Transfer (MFT) products across several customer environments. The vulnerability in this campaign involved unauthorized remote code execution (RCE) through the manipulation of the filesystem, and was suspected of being related to CVE-2024-50623. Most intrusions associated with this campaign were observed in early December. 

Since our previous security bulletin, several reports have emerged describing activity similar to what we had observed, with several key updates: 

• Reports have emerged suggesting that threat actors deploying Termite ransomware may be responsible for the zero-day. 

• A proof-of-concept (PoC) exploit has now been published by WatchTowr, increasing the risk of widespread exploitation. 

• The patches released for CVE-2024-50623 were found to be ineffective against the active campaign. A new CVE identifier has not yet been assigned for this vulnerability. 

• Cleo is expected to release version 5.8.0.23 across affected products to address the vulnerability in the coming days. 

• Since fully-patched systems running 5.8.0.21 are still exploitable, the safest mitigation at this time is to remove any internet-exposed Cleo systems from the internet until a new patch is released. 

Recommendations 

Remove Internet-Exposed Cleo Systems from the Internet

Due to a patch not being available at the time of writing, Arctic Wolf strongly recommends removing any internet-exposed Cleo systems from the internet until a new patch is released. 

Remove Suspicious Files From Cleo Software Folders

Cleo support recommends the following steps to remove malicious files from the threat activity described in this security bulletin. 

• Using the Admin UI (LexiCom/VLTrader/Harmony): 

• • Search for bash or PowerShell commands in all hosts.xml files. 

• • If any unknown host files are found, remove them along with their associated Hosts/Actions. 

• Remove the Following Files if Present: 

• • cleo.####.jar files (e.g., cleo.5264.jar, cleo.6597.jar, etc.) from the installation directory of Harmony, VLTrader, or LexiCom. 

• • autorun\healthchecktemplate.txt 

• • temp\Harmony235462786353.tmp 

• • hosts\main.xml or 60282967-dc91-40ef-a34c-38e992509c2c.xml 

These actions will help mitigate risks related to unauthorized access or exploitation. 

Partial Workaround

Configuration Hardening for Autorun Feature in Cleo Products

Within Cleo products, the Autorun feature runs an import command from a randomly named file that contains the suspected bash or powershell command. Cleo recommends disabling this feature if it is not used for critical functions, and otherwise recommends restricting it as described below. 

Note: These steps will not stop exploitation of the vulnerability described in the bulletin but will reduce the attack surface. 

To Disable Autorun Altogether

• Navigate to the System Options in your respective Cleo product. 

• Blank out the Autorun directory to disable the Autorun feature. 

Hardening Autorun Configuration

• Use filesystem commands to make the Autorun directory: 

• Read-Only 

• No Write 

• No Execute 

References 

• Cleo Security Advisory (CVE-2024-50623)

• Cleo Autorun Notes

• Cleo Update

• WatchTower PoC

• Termite Attribution