Widespread Exploitation of Cleo File Transfer Software
Dec. 16, 2024, 2:34 p.m.
Tags
External References
Description
Critical vulnerabilities in Cleo file transfer products, including VLTrader, Harmony, and LexiCom, are being actively exploited. Initially stemming from an insufficient patch for CVE-2024-50623, a new critical vulnerability (CVE-2024-55956) allows unauthenticated users to execute arbitrary commands. Exploitation has been confirmed in customer environments, with attackers dropping modular Java backdoors and conducting post-exploitation activities. Affected versions include those prior to 5.8.0.24. Immediate patching and removal from public internet access are recommended. Indicators of compromise and post-exploitation behavior have been observed, including enumeration commands, PowerShell usage, and attempts to clear Windows event logs.
Date
Published: Dec. 16, 2024, 2:25 p.m.
Created: Dec. 16, 2024, 2:25 p.m.
Modified: Dec. 16, 2024, 2:34 p.m.
Indicators
89.248.172.139
45.182.189.102
185.163.204.137
185.162.128.133
185.181.230.103
176.123.10.115
Attack Patterns
Cobalt Strike
T1069
T1550
T1482
T1082
T1105
T1071
T1140
T1033
T1562
T1190
T1059
CVE-2024-55956
CVE-2024-50623