Ransomware group “Termite” — which not too long ago claimed provide chain vendor Blue Yonder as a sufferer — could also be behind widespread exploit exercise concentrating on a beforehand fastened vulnerability in Cleo’s LexiCom, VLTransfer, and Concord file switch software program.
Cleo is at present growing a brand new patch for the flaw however nothing is at present accessible for the difficulty, which suggests the vulnerability is a zero-day beneath lively assault.
Widespread Assaults
The assaults seem to have begun on Dec. 3 and have claimed no less than 10 victims throughout a number of sectors, together with client merchandise, trucking and delivery, and the meals business, in line with researchers at Huntress Labs who’re monitoring the exercise. A seek for susceptible, Web-exposed Cleo programs means that the precise variety of victims could also be greater, the safety vendor mentioned.
Rapid7 additionally mentioned it had obtained studies of compromise and post-exploit exercise involving the Cleo vulnerability from a number of clients. “File switch software program continues to be a goal for adversaries, and for financially motivated risk actors specifically,” Rapid7 wrote in a weblog put up on Dec. 10. The corporate really useful affected organizations take “emergency motion” to mitigate threat associated to the risk.
Greater than 4,200 clients from a number of industries similar to logistics and transportation, manufacturing, and wholesale distribution use Cleo software program for a wide range of use instances. Some recognizable names embody Brother, New Steadiness, Duraflame, TaylorMade, Barilla America, and Mohawk International.
Huntress recognized the vulnerability that Termite is concentrating on as CVE-2024-50623, an unauthenticated distant code execution (RCE) flaw in variations of Cleo Concord, VLTrader, and LexiCom prior to five.8.0.21. Cleo disclosed the vulnerability in October and urged clients to instantly improve affected merchandise to the fastened model 5.8.0.21.
Nevertheless, the patch seems to have been inadequate, as a result of all beforehand affected variations of Cleo software program, together with the patched 5.8.0.21, stay susceptible to the identical CVE, Huntress mentioned. “This vulnerability is being actively exploited within the wild and totally patched programs operating 5.8.0.21 are nonetheless exploitable,” Huntress researcher John Hammond wrote. “We strongly advocate you progress any Web-exposed Cleo programs behind a firewall till a brand new patch is launched.”
Engaged on a Patch
Cleo has acknowledged the difficulty and mentioned it plans to concern a brand new CVE, or identifier, for the bug. In an emailed assertion, an organization spokesperson described the flaw as a crucial concern. The assertion famous that Cleo has notified clients concerning the risk and suggested them on learn how to mitigate publicity until its patch turns into accessible. “Our investigation is ongoing,” the assertion mentioned. “Prospects are inspired to test Cleo’s safety bulletin webpage recurrently for updates.”
Hammond mentioned Huntress’s evaluation of the risk actor’s post-exploit exercise confirmed the attacker deploying Net shell-like performance for establishing persistence on compromised endpoints. Huntress additionally noticed the risk actor enumerating potential Lively Listing belongings with nltest.exe and different area reconnaissance instruments.
In feedback to Darkish Studying, Huntress director of adversary ways Jamie Levy says that accessible proof factors to Termite because the possible perpetrator. Just like the victims of the continuing assaults, Blue Yonder had an occasion of Cleo’s software program open to the Web, she says. Termite claimed Blue Yonder as considered one of its victims and appeared to substantiate it by publicly itemizing information belonging to the corporate, Levy notes.
The New Cl0p?
“There have been some rumblings that Termite is likely to be the brand new Cl0p,” Levy says, and knowledge has emerged that seems to substantiate these claims. Additionally, Cl0p’s actions have waned whereas Termite’s actions have elevated. Each are working in related fashions. “We’re not likely within the attribution sport, but it surely would not be shocking in any respect if we’re seeing a shift in these ransomware gangs in the mean time,” Levy says.
Max Rogers, senior director of safety operations at Huntress, described the brand new Cleo zero-day as one thing that allows quick access to Cleo programs for attackers with the exploit code. “The best fast motion is to make sure that affected programs should not accessible from the Web, which considerably reduces the danger of exploitation.”
Rogers moreover recommends that organizations disable the autorun function in Cleo software program to restrict the assault floor whereas ready for an up to date patch. “Nevertheless, at the moment,” he says, “the one assured method to defend programs is to make them inaccessible over the Web till a brand new patch is out.”