On December 3, Huntress identified an emerging threat involving Cleo’s LexiCom, VLTransfer, and Harmony software, commonly used to manage file transfers. We’ve directly observed evidence of threat actors exploiting this software en masse and performing post-exploitation activity. Although Cleo published an update and advisory for CVE-2024-50623—which allows unauthenticated remote code execution—Huntress security researchers have recreated the proof of concept and learned the patch does not mitigate the software flaw.
TL;DR This vulnerability is being actively exploited in the wild, and fully patched systems running 5.8.0.21 are still exploitable. We strongly recommend you move any internet-exposed Cleo systems behind a firewall until a new patch is released.
Based on our analysis, all versions prior to and including 5.8.0.21 are vulnerable:
Cleo Harmony® (5.8.0.21)
Cleo VLTrader® (5.8.0.21)
Cleo LexiCom® (5.8.0.21)
Our team is working to reach the Cleo team to report our findings and develop a new patch to fully mitigate exploitation. This blog will be frequently updated as more details emerge.
The three software solutions Harmony, VLTrader, and LexiCom are often installed in the root of the filesystem, as the suggested default in their installation process:
C:\LexiCom
C:\VLTrader
C:\Harmony
We have also observed installation folders in the typical C:\Program Files (x86) directory. Inside the installation folder are numerous subdirectories, with some more pertinent to the tradecraft than others:
logs\
host\
autorun\
(etc.)
As an example, we would find logs in a full path: C:\LexiCom\logs\LexiCom.xml. Below is a record of the logs following threat actor exploitation:
<script src="https://gist.github.com/JohnHammond/d918f0dae466df7eb9b57e608d9b26c0.js"></script>There are multiple things to note in this log snippet:
The first artifact of the attack chain is autorun\healthchecktemplate.txt.
Autorun files are immediately read, interpreted, and evaluated by LexiCom, Harmony, and VLTrader. We believe this is one of multiple files dropped onto the filesystem via the arbitrary file-write vulnerability. Files placed in the autorun folder are immediately deleted following their processing. Note: We have also seen autorun\healthcheck.txt used as well.
A “Warning” on the second entry indicates this instance is running version 5.8.0.0, which is the unpatched version. Our proof of concept, which we will discuss below, successfully exploits version 5.8.0.21.
The healthchecktemplate.txt autorun looks to invoke “Import” functionality, which is native and natural functionality of the Cleo software.
The Import process reads in from a local file on disk. In this case, it loads temp\LexiCom6836057879780436035.tmp, which we believe to be a second file dropped via the arbitrary file-write vulnerability. This .tmp file is actually a .ZIP file, containing a subdirectory hosts with an inner mail.xml file, as you see imported.
The main.xml file observed from in-the-wild exploitation contains:
<script src="https://gist.github.com/JohnHammond/77295e3fe3ea0cb1b8f38fb2e4f54924.js"></script>
Note the specific (and mischievous) date and timestamps: 2020/10/10 00:00:00 😉
This main.xml file stages a new autorun with an action (presumably built out to be healthcheck.txt) to invoke a PowerShell command and gain code execution. Unfortunately, the healthchecktemplate.txt and healthcheck.txt files placed in the autoruns subdirectory were automatically deleted and we do not yet know their contents.
Figure 1: Exploitation as displayed within one of the Cleo software solutions
The decoded PowerShell command has been observed with this structure:
<script src="https://gist.github.com/JohnHammond/06316b11bfa524c16ecd20962d75bb74.js"></script>
This process reaches out to an external IP address to retrieve new JAR files for continued post-exploitation. These JAR files contain webshell-like functionality for persistence on the endpoint.
We observed attackers later deleting these JAR files post-execution in order to prolong their attacks and stay relatively stealthy.
Also within the same logs folder, there may be a LexiCom.dbg log file. It will also contain information about any malicious autoruns files that have been processed, like so:
[timestamp] LexiCom.syncer [redacted] Request In <<< Multipart: VLSync:SentReceipt;service=AS2;path="autorun/healthchecktemplate.txt"
For further post-exploitation, the threat actors were observed enumerating potential Active Directory assets with domain reconnaissance tools like nltest.exe.
Huntress EDR depicts this child-parent process relationship like so:
Figure 2: Parent-child process relationship between nltest.exe
176.123.5.126 - AS 200019 (AlexHost SRL) - Moldova
5.149.249.226 - AS 59711 (HZ Hosting Ltd) - Netherlands
185.181.230.103 - AS 60602 (Inovare-Prim SRL) - Moldova
209.127.12.38 - AS 55286 (SERVER-MANIA / B2 Net Solutions Inc) - Canada
181.214.147.164 - AS 15440 (UAB Baltnetos komunikacijos) - Lithuania
192.119.99.42 - AS 54290 (HOSTWINDS LLC) - United States
From our telemetry, we’ve discovered at least 10 businesses whose Cleo servers were compromised with a notable uptick in exploitation observed on December 8 around 07:00 UTC. After some initial analysis, however, we have found evidence of exploitation as early as December 3.
The majority of customers that we saw compromised deal with consumer products, the food industry, trucking, and shipping. There are still several other companies outside of our immediate view that are potentially compromised as well.
Figure 3: View of vulnerable Cleo server as seen on Shodan
Huntress communicated with Cleo on December 9 after creating our proof of concept. Over a Zoom call, they confirmed our understanding and the recreation of the attack chain.
Principal Security Researcher Caleb Stewart crafted a Python script that leverages the arbitrary file-write primitive to place files inside the autoruns subdirectory and prove its execution. This was tested successfully against LexiCom as well as VLTrader with both versions 5.8.0.0 and patched version 5.8.0.21.
At the time of writing, Cleo is preparing a new CVE designation and expects a new patch to be released mid-week.
At the time of writing, the 5.8.0.21 patched versions are insufficient against the exploit we are seeing in the wild. Speaking over a Zoom call, Cleo expressed that they will have a new patch available as soon as possible.
In the interim, we have suggested mitigations in an attempt to limit the attack surface. Knowing that the latter half of this attack path relies on code execution via the autoruns directory, it is possible to reconfigure Cleo software to disable this feature. However, this will not prevent the arbitrary file-write vulnerability until a patch is released.
Got to the “Configure” menu of LexiCom, Harmony, or VLTrader
Select “Options”
Navigate to the “Other” pane
Delete the contents of the “Autorun Directory” field
This will remove the ability to process Autorun files. Please apply your own risk and threat model here -- your mileage may vary if you know that you use this feature in production.
Figure 4: Cleo Harmony System Options showing the Autorun Directory option
If you are not a Huntress partner, review the hosts subdirectory in your software installation directory to determine if you have been affected. The presence of a main.xml or a 60282967-dc91-40ef-a34c-38e992509c2c.xml file (a name that looks to be reused across infections) with an embedded PowerShell-encoded command is a definitive indicator of compromise.
We are actively detecting and neutralizing activity related to the exploit. To do so, we have taken a three-pronged approach to effectively detect, investigate, and respond to the threat.
Huntress SOC analysts Austin Worline, Chad Hudson, Jai Minton, and Tanner Filip created detections specifically conjured to hone in on and detect the activity triggered by the range of compromised Cleo products.
Figure 5: Cleo Detection in Huntress EDR
In tandem, Huntress analyst Amelia Casley generated an internal investigation guide to ensure that the global Huntress SOC team could triage this emerging threat in a scalable and consistent way to keep our community secure. This guide included a reusable CyberChef recipe to analyze the encoded PowerShell adversaries were deploying.
Figure 6: Extract of Huntress SOC Investigation Guide
Figure 7: Cyberchef recipe
Furthermore, Huntress neutralized this threat where it appeared on endpoints by leveraging the IP Blocking feature in Huntress Managed EDR. IP blocking adds a degree of cost to a threat actor, requiring them to rotate their infrastructure in order to reattempt a compromise. Once completed, we shared a detailed report with any impacted partners and customers.
Figure 8: Blocking Threat actor IPv4s on hosts subject to attempted compromises
Possible Cleo MFT Exploitation 2024
Javaw Spawning Suspicious Powershell
|
Item |
Description |
|
176.123.5.126 |
Attacker IP embedded in encoded PowerShell |
|
5.149.249.226 |
Attacker IP embedded in encoded PowerShell |
|
185.181.230.103 |
Attacker IP embedded in encoded PowerShell |
|
209.127.12.38 |
Attacker IP embedded in encoded PowerShell |
|
181.214.147.164 |
Attacker IP embedded in encoded PowerShell |
|
192.119.99.42 |
Attacker IP embedded in encoded PowerShell |
|
healthchecktemplate.txt or healthcheck.txt |
Malicious autoruns files |
|
60282967-dc91-40ef-a34c-38e992509c2c.xml |
Standard XML file to prepare post-exploitation |
Special thanks to Jai Minton, Tanner Filip, Dray Agha, Austin Worline, Chad Hudson, Amelia Casley, Jamie Levy, John Hammond, Caleb Stewart, Matt Kiely, Matt Anderson, and others for their tireless efforts and contributions to this investigation and writeup.
Get insider access to Huntress tradecraft, killer events, and the freshest blog updates.
