Key Takeaways
- Zero-day vulnerability was discovered in 3 Cleo products, tracked as CVE-2024-55956
- Cleo is the developer of various managed file transfer platforms with approximately 4,000 customers, mostly mid-sized organizations
- CVE-2024-55956 could allow unauthenticated users to import and execute arbitrary Bash or PowerShell commands on host systems by leveraging default settings of the Autorun directory
- Threat actor group, CL0P, has claimed responsibility for vulnerability exploitation with the goal of data theft
- We recommend upgrading to version 5.8.0.24 immediately
Background
A zero-day vulnerability, tracked as CVE-2024-55956, was recently discovered in 3 of Cleo’s managed file transfer platforms: Cleo Harmony, VLTrader, and LexiCom. This vulnerability was found in versions of these products prior to 5.8.0.24. If exploited, CVE-2024-55956 could allow an unauthenticated user to import and execute arbitrary Bash or PowerShell commands on a host system by leveraging default settings of the Autorun directory.
Managed file transfer platforms, such as Cleo Harmony, VLTrader, and LexiCom, are leveraged by organizations to securely exchange files between their business partners and customers, making it a highly desired target for threat actors. According to their website, Cleo has approximately 4,000 customers, ranging in size and industry, including manufacturing, retail, healthcare, and logistics, among others. Cleo Harmony contains more comprehensive features and targets enterprise clients, whereas VLTrader targets mid-sized organizations, and LexiCom works primarily as a desktop-based client for interacting with major trading networks.
The threat actor CL0P has claimed responsibility for the zero-day activity pertaining to CVE-2024-55956. Initial forensic evidence indicates vulnerability exploitation began in early December 2024.
The threat actor’s ultimate goal and initial observed activity is consistent with data theft. While system compromise for further lateral movement or establishing a foothold for future pivot may be possible depending on victim network layout and internal design, it does not appear to be consistent with CL0P’s activities observed to date. Follow-on threat actors may seek to build upon the CVE, including systems that remain unpatched, for future exploitation.
In related activity, a prior disclosed vulnerability in Cleo managed file transfer products, tracked as CVE-2024-50623, was discovered and patched with 5.8.0.21 in October, but was found to be partially ineffective. This vulnerability could allow unrestricted upload and download that could lead to remote code execution (RCE).
CVE Details
The information captured within is a moment in time snapshot and is subject to change as the activity associated with these CVEs continue to be analyzed and additional forensic data is reviewed.
Recommendations for CVE-2024-55956
- Upgrade to version 5.8.0.24
- Admins who cannot immediately upgrade are advised to disable the Autorun feature by clearing out the Autorun directory from the System Options to reduce the attack surface.
- Remove affected products from the public internet and ensure they are behind a firewall wherever possible.
- Conduct a forensic investigation to determine if compromise took place, if malware was left behind, and if data exfiltration occurred.
Indicators of Compromise (IOCs)
Type |
Value |
Comment |
URL
|
45.182.189.102/dpixel
|
Cobalt Strike payload folder
|
SHA-256
|
6705eea898ef1155417361fa71b1078b7aaab61e7597d2a080aa38df4ad87b1c
|
Java Loader
|
File
|
healthcheck.txt
|
Autorun file
|
File
|
healthchecktemplate.txt
|
Autorun file
|
File
|
60282967-dc91-40ef-a34c-38e992509c2c.xml
|
XML file to prepare post-exploitation
|
IP
|
45.182.189[.]102
|
Cobalt Strike Server
|
IP
|
216.245.221[.]83
|
C2
|
IP
|
92.51.2[.]221
|
C2
|
IP
|
67.220.94[.]173
|
C2
|
IP
|
184.107.3[.]70
|
C2
|
IP
|
186.162.118[.]133
|
C2
|
IP
|
186.128.224[.]0
|
C2
|
IP
|
186.136.204[.]137
|
C2
|
IP
|
58.180.61[.]138
|
C2
|
IP
|
45.140.145[.]68
|
C2
|
IP
|
6.149.249[.]226
|
C2
|
IP
|
192.119.99[.]42
|
C2
|
IP
|
176.123.4[.]226
|
C2
|
IP
|
80.82.78[.]42
|
C2
|
IP
|
176.125.101[.]115
|
C2
|
IP
|
45.182.189[.]226
|
C2
|
IP
|
185.162.128[.]100
|
C2
|
IP
|
185.162.128[.]219
|
C2
|
IP
|
6.184.168[.]25
|
C2
|
IP
|
181.214.147[.]164
|
C2
|
IP
|
209.127.121[.]38
|
C2
|
IP
|
89.248.172[.]139
|
C2
|
IP
|
5.149.228[.]109
|
C2
|
IP
|
176.123.4[.]146
|
C2
|
IP
|
45.182.189[.]102
|
C2
|
IP
|
176.123.5[.]126
|
C2
|