Cleo Zero-Day Attacks Are Most Likely Caused by "Termite" Ransomware

The ransomware organization "Termite" may be responsible for extensive attack activity that targets a previously patched vulnerability in Cleo's LexiCom, VLTransfer, and Harmony file transfer software. The group recently claimed supply chain provider Blue Yonder as a victim. Nothing is available for the problem at the moment, therefore the vulnerability is a zero-day under active assault, even though Cleo is working on a new patch.

Cleo Zero-Day Attacks Are Most Likely Caused by "Termite" Ransomware

The ransomware organization "Termite" may be responsible for extensive attack activity that targets a previously patched vulnerability in Cleo's LexiCom, VLTransfer, and Harmony file transfer software. The group recently claimed supply chain provider Blue Yonder as a victim. Nothing is available for the problem at the moment, therefore the vulnerability is a zero-day under active assault, even though Cleo is working on a new patch.

Pervasive Attacks

Researchers at Huntress Labs are monitoring the attacks, which seem to have started on Dec. 3 and have affected at least 10 victims in a variety of industries, including the food industry, trucking and shipping, and consumer goods. According to the security provider, a search for susceptible, Internet-exposed Cleo systems indicates that the true victim count might be greater.

Additionally, Rapid7 reported that several customers had contacted them about compromise and post-exploit activity using the Cleo vulnerability. Rapid7 stated in a blog post on December 10 that "File transfer software continues to be a target for adversaries, and for financially motivated threat actors in particular." The business advised impacted firms to take "emergency action" in order to reduce the threat's risk.

Cleo software is used for a wide range of use cases by more than 4,200 clients across several industries, including manufacturing, wholesale distribution, logistics, and transportation. Brother, New Balance, Duraflame, TaylorMade, Barilla America, and Mohawk Global are a few well-known brands.

CVE-2024-50623, an unauthenticated remote code execution (RCE) vulnerability in versions of Cleo Harmony, VLTrader, and LexiCom, is the vulnerability that Termite is targeting, according to Huntress before 5.8.0.21. Cleo disclosed the vulnerability in October and urged customers to immediately upgrade affected products to the fixed version 5.8.0.21.

All previously impacted Cleo software versions, including the patched 5.8.0.21, are still susceptible to the same CVE, suggesting that the patch was insufficient, according to Huntress. "This vulnerability is being actively exploited in the wild, and fully patched systems running 5.8.0.21 are still exploitable," was written by John Hammond, a researcher at Huntress. "We strongly recommend you move any Internet-exposed Cleo systems behind a firewall until a new patch is released."

Developing a Patch

Cleo has admitted to the problem and stated that it intends to release a new CVE or bug identification. A corporate spokeswoman called the defect a major issue in an emailed statement. According to the statement, Cleo has informed clients about the risk and given them advice on how to reduce their exposure till its patch becomes available. "Our investigation is ongoing," the statement said. "Customers are encouraged to check Cleo's security bulletin webpage regularly for updates."

According to Hammond, the threat actor used Web shell-like capability to create persistence on compromised endpoints, according to Huntress's analysis of the threat actor's post-exploit activities. Additionally, Huntress saw the threat actor using nltest.exe and other domain reconnaissance tools to list possible Active Directory assets.

Jamie Levy, director of adversary strategies for Huntress, told Dark Reading that the evidence suggests Termite is the most likely culprit. "Blue Yonder had an instance of Cleo's software open to the Internet, just like the victims of the ongoing attacks," she claims. According to Levy, Termite openly listed Blue Yonder's files, seemingly confirming its allegation that the corporation was one of its victims.


The New Cl0p?

"There have been some rumblings that Termite might be the new Cl0p," Levy said and data has emerged that appears to substantiate those claims. Also, Cl0p's activities have waned while Termite's activities have increased. Both are operating in similar fashions. "We're not really in the attribution game, but it wouldn't be surprising at all if we are seeing a shift in these ransomware gangs at the moment," Levy says.

According to Max Rogers, senior director of security operations at Huntress, the new Cleo zero-day makes it simple for attackers to use the exploit code to gain access to Cleo systems. "The most effective immediate action is to ensure that affected systems are not accessible from the Internet, which significantly reduces the risk of exploitation."

In order to reduce the attack surface while awaiting a new patch, Rogers advises enterprises to turn off the autorun option of Cleo software. "However, at this time," according to him, "the only guaranteed way to protect systems is to make them inaccessible over the Internet until a new patch is out."