On December 9th, Huntress released a threat advisory reporting a vulnerability and active exploitation of the file transfer management software offered by Cleo, a software company known for its ‘ecosystem integration platform’.
Designated as CVE-2024-55956, exploitation focuses on an unrestricted file upload and download vulnerability that could lead to remote code execution. This vulnerability affects versions prior to 5.8.0.24 of Cleo’s Harmony, VLTrader, and LexiCom software. It’s also important to note that this vulnerability has been confirmed to not require prior authentication before exploitation. Unauthenticated remote code execution vulnerabilities are valuable targets for threat actors because they allow direct system compromise without needing to bypass authentication controls or obtain valid credentials first. Huntress and Rapid7 have both confirmed observations of active exploitation attempts in the wild.
|
CVE ID |
CVSS |
Summary |
|
CVE-2024-55956 |
High - 8.8 |
In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory. |
It’s also important to note that there are two CVE ID’s being attributed to this vulnerability. This may be slightly confusing, so I wanted to help in offering an explanation.
If you are still unsure or don’t have time to dive into the specifics, just make sure your Cleo software is on 5.8.0.24 or higher. That way, you’re protected from both of these CVEs.
Administrators managing Harmony, VLTrader, and LexiCom software should patch immediately to version 5.8.0.24 or higher. Vulnerabilities affecting these products can lead to remote code execution and allow an attacker into your network. Additionally, “in the wild” scanning and exploitation of these vulnerabilities has been confirmed by multiple sources.
Exploitation of this vulnerability allows an attacker to gain a foothold in the network. From there, they may decide to pivot within the network or act more quickly and deploy ransomware right from the initial compromised host. In some confirmed instances of exploitation, defenders have seen attackers move further into the network and attempt to perform domain reconnaissance using tools such as nltest.
The following list has been directly lifted from the Cleo Product Security Update for CVE-2024-55956
Several indicators of compromise have been revealed by Huntress researchers:
File artifacts under your Harmony, VLTrader, or LexiCom installation directory, typically under C:\ or C:\Program Files (x86) - e.g. C:\LexiCom or C:\Program Files (x86)\Lexicom. Several IPs have been associated with confirmed Cleo attacks.
|
IoC Type |
IoC |
|
File Artifact |
Autorun\healthchecktemplate.txt |
|
File Artifact |
Autorun\healthcheck.txt |
|
File Artifact |
Main.xml |
|
File Artifact |
60282967-dc91-40ef-a34c-38e992509c2c.xml |
|
Attacker IP |
176.123.5.126 |
|
Attacker IP |
5.149.249.226 |
|
Attacker IP |
185.181.230.103 |
|
Attacker IP |
209.127.12.38 |
|
Attacker IP |
181.214.147.164 |
|
Attacker IP |
192.119.99.42 |
Huntress researchers have collected examples of these file artifacts and have reported that they contain encoded powershell commands. Additionally, there may be a .dbg log file under the logs directory (e.g. C:\LexiCom\logs) that you can review to identify if any suspicious files have been uploaded to the autorun directory. The Cleo autorun feature and directory appears to be a pivotal component of the exploit chain.
If you suspect a Cleo instance has been compromised, you should immediately attempt to contain the incident and establish a scope. In some cases, it may be advisable to isolate the Cleo service, recover from a known-good backup, and apply the latest patches before bringing back online. It is also recommended to rotate any administrator or user account passwords local to any compromised devices.
Cleo has also offered resources for response and mitigation (behind a login)
If you are unable to patch your Cleo instances in a timely manner, consider taking them offline until able to do so or at least disable any public internet access they may have. Additionally, a temporary workaround has been suggested by Huntress to limit the attack surface. They have stated that this workaround will stop execution, but, “will not prevent the arbitrary file-write vulnerability until a patch is released.”
Patches are available and have been released by Cleo
Blumira’s security team actively monitors this issue, and looks for additional ways that we can detect any stage of exploitation of these vulnerabilities.
Several detections and reports are available to our customers and would help reveal any possible exploitation of these vulnerabilities or post exploitation activity:
|
Type |
Name |
|
Detection |
Potential Exploitation of Cleo CVE-2024-55956 - Autorun File Artifacts |
|
Detection |
Nltest Domain Enumeration |
|
Detection |
AdFind Domain Enumeration |
|
Detection |
Reconnaissance via Net Commands |
|
Detection |
PowerShell: Encoded Command Execution |
|
Detection (default disabled) |
PowerShell: Execution Policy Bypass |
|
Detection |
PowerShell: Download Invocation |
|
Report |
Windows: Potentially Malicious Powershell |