File-Transfer Tool Flaw Exploited in Mass Hacks

Critical Vulnerability in Cleo File Transfer Software Exploited

Cybersecurity professionals are issuing alerts regarding the active exploitation of a significant security vulnerability within a widely-used file transfer technology.

Details of the CVE-2024-50623 Vulnerability

The vulnerability, identified as CVE-2024-50623, impacts software solutions created by Cleo, a company specializing in enterprise software based in Illinois. This information comes from recent research conducted by the cybersecurity firm Huntress.

Cleo initially disclosed the flaw on October 30th through a security advisory. The advisory detailed the potential for remote code execution as a consequence of successful exploitation.

Affected Cleo Products

The vulnerability specifically affects Cleo’s LexiCom, VLTransfer, and Harmony tools. These tools are frequently utilized by businesses to oversee and manage their file transfer processes.

Despite the release of a patch in October, Huntress reports that the current patch does not fully resolve the underlying software flaw.

Widespread Exploitation Observed

John Hammond, a security researcher at Huntress, stated that their team has been observing threat actors actively exploiting this software on a large scale since December 3rd.

Huntress, which provides protection for over 1,700 servers running Cleo LexiCom, VLTransfer, and Harmony, has identified at least 24 businesses that have already experienced server compromises.

Impacted Industries

The compromised organizations span various sectors, including:

• Consumer product companies
• Logistics and shipping organizations
• Food suppliers

Hammond also indicated that a substantial number of other customers remain at risk of being targeted.

Vulnerable Servers Identified

Shodan, a search engine for internet-connected devices, reveals hundreds of Cleo servers susceptible to this vulnerability. A majority of these vulnerable servers are located within the United States.

Cleo’s Customer Base

Cleo serves a large customer base exceeding 4,200 organizations. Notable clients include Illumina, a U.S. biotechnology company, New Balance, a prominent sports footwear manufacturer, and Portable, a Dutch logistics firm.

Ongoing Investigation

Currently, Huntress has not yet determined the identity of the threat actor responsible for these attacks. It remains unclear whether any data has been stolen from the affected Cleo customers.

However, Hammond noted that the attackers have been observed engaging in post-exploitation activity following successful system compromises.

Cleo’s Response

In a statement provided to TechCrunch, Jorge Rodriguez, SVP of Product Development at Cleo, confirmed that a new patch addressing the critical vulnerability is currently “under development.”

Huntress advises Cleo customers to place any internet-facing systems behind a firewall until the updated patch becomes available.

Rodriguez did not disclose the number of impacted customers or confirm any instances of data exfiltration.

File Transfer Tools as Targets

Enterprise file transfer tools are frequently targeted by malicious actors and extortion groups.

Last year, the Clop ransomware group, linked to Russia, claimed thousands of victims by exploiting a zero-day vulnerability in Progress Software’s MOVEit Transfer product.

Previously, the same group had claimed responsibility for the widespread exploitation of a vulnerability in Fortra’s GoAnywhere managed file transfer software, impacting over 130 organizations.

This article has been updated to include a statement from Cleo.