Table of Contents
Security researchers have warned about in-the-wild attacks that exploit a remote code execution vulnerability in managed file transfer (MFT) solutions developed by enterprise software vendor Cleo Communications.The impacted products include the latest versions of Cleo LexiCom, Cleo VLTrader and Cleo Harmony, with experts advising to temporarily disconnect these systems from the internet until a patch is available.
The first company to report the attacks was managed EDR firm Huntress who detected the exploits in some of its customers’ systems. The affected systems used an older version of Cleo software that is vulnerable to a flaw patched in October, but the Huntress researchers determined that the patch is insufficient and even up to date product versions are vulnerable.
“From our telemetry, we’ve discovered at least 10 businesses whose Cleo servers were compromised with a notable uptick in exploitation observed on December 8 around 07:00 UTC,” the Huntress team said in its report. “After some initial analysis, however, we have found evidence of exploitation as early as December 3.”
Researchers from vulnerability management firm Rapid7 confirmed Huntress’ findings and are also investigating signs of successful exploitation in some of its customers’ environments. Attackers are leveraging the flaw to write malicious files in specific locations on the server which then get automatically executed by the software.
An inefficient patch or a new flaw
On 24 October, Cleo published a security advisory about an unrestricted file upload and download vulnerability tracked as CVE-2024-50623 that could be used to achieve remote code execution. The vendor advised users to upgrade Harmony, VLTrader and LexiCom to version 5.8.0.21 to mitigate the flaw.
However, according to Huntress, the patch does not address all attack paths and can still be exploited on version 5.8.0.21. The researchers created a proof-of-concept exploit that they’ve shared with Cleo which confirmed the issue and is working on a new patch and updated versions. According to an updated advisory, the new vulnerability is now tracked as CVE-2024-55956 and was fixed for all impacted products in version 5.8.0.24, released on Dec. 11.
“Promptly upon discovering the vulnerability, Cleo launched an investigation with the assistance of outside cybersecurity experts, notified customers of the issue and provided instructions on immediate actions customers should take to address the vulnerability,” a Cleo spokesperson told CSO via email. “Cleo’s investigation is ongoing. Customers are encouraged to check Cleo’s security bulletin webpage regularly for updates.”
Upon further investigation, researchers from Rapid7 believe CVE-2024-55956 is a separate vulnerability and not a bypass of the patch for CVE-2024-50623, as originally believed and reported by Huntress. The new flaw is an unauthenticated file write vulnerability, while the older one is an authenticated file read and write flaw that requires credentials to exploit.
“The two vulnerabilities are not chained together to achieve RCE; CVE-2024-55956 can be exploited by itself to achieve unauthenticated RCE,” Stephen Fewer, principal security researcher at Rapid7, told CSO via email. “CVE-2024-55956 does occur in a similar part of the product code base as the CVE-2024-50623 and is reachable via the same endpoint in the target. However, the exploitation strategy differs greatly between the two vulnerabilities.”
Abusing the autorun feature
Huntress believes one of the exploits is the file upload vulnerability to drop a file called healthchecktemplate.txt in a subdirectory called autorun from the application’s folder. Files present in the folder are automatically processed by the Cleo applications.
Upon inspection, this rogue file invokes the native Import function of the Cleo software to process another file dropped in the temp folder on disk and called LexiCom6836057879780436035.tmp (name might vary between exploits).
Despite its .tmp extension, this file is actually a ZIP archive that contains a subdirectory called hosts with a file called mail.xml. The .xml file acts as a configuration file for what appears to be a feature to create a new mailbox connection in the Cleo software. When imported, this file will execute commands stored in its <Commands> declaration, in this case a malicious PowerShell command.
“This process reaches out to an external IP address to retrieve new JAR files for continued post-exploitation,” the researchers said. “These JAR files contain webshell-like functionality for persistence on the endpoint. We observed attackers later deleting these JAR files post-execution in order to prolong their attacks and stay relatively stealthy.”
The researchers noted that some files had already been deleted by the attackers before they could be recovered for analysis, but a log file called LexiCom.dbg will contain traces about the autorun files that have been executed. The attackers were also seen performing Active Directory reconnaissance by using nltest.exe, a command-line tool present on Windows Servers and used to enumerate domain controllers.
Researchers from security firm Arctic Wolf Networks managed to recover the Java payloads, which consist of a Java loader and a Java backdoor the researchers dubbed Cleopatra. The backdoor has support for both Windows and Linux and seems designed to specifically access data stored within the Cleo MFT products.
The backdoor plugs into Cleo functionality and implements nine classes, each serving a different purpose. One class executes shell commands and allows attackers to open a reverse shell. Three other classes implement in-memory storage and on-disk file operations such as reading, writing, and archiving.
The attackers used the backdoor to execute various shell commands to understand the system and network and to find other machines to potentially pivot to.
Mitigate by isolating servers
One possible mitigation until a patch is available is to disable the Autorun directory feature in the Cleo software configuration. According to Huntress, this can be done by going to the “Configure” menu of the software, selecting “Options” and navigating to the “Other” pane where the contents of the “Autorun Directory” field should be removed.
However, this will not prevent the exploitation of the arbitrary file upload vulnerability, so the best approach, according to Rapid7, is to isolate servers with the affected software from the internet or put a firewall in front of them.
Security teams should also investigate their Cleo servers for traces of this exploit by inspecting the log file or looking for the presence of a main.xml or a 60282967-dc91-40ef-a34c-38e992509c2c.xml file with embedded PowerShell commands.
This latest attack against Cleo products highlights that enterprise managed file transfer (MFT) solutions continue to be an attractive target for attackers. Ransomware groups have previously exploited vulnerabilities in the Accellion File Transfer Appliance (FTA) devices in 2020 and 2021, Fortra/Linoma GoAnywhere MFT servers in early 2023 and MOVEit Transfer deployments in May 2023.
Originally published on Dec. 10, this article has been updated with newly released research and comment from Cleo and Rapid7.
