Threat Advisory: Oh No Cleo! Cleo Software Actively Being Exploited in the Wild

CVE-2024-50623 Summary

On December 3, Huntress identified an emerging threat involving Cleo’s LexiCom, VLTransfer, and Harmony software, commonly used to manage file transfers. We’ve directly observed evidence of threat actors exploiting this software en masse and performing post-exploitation activity. Although Cleo published an update and advisory for CVE-2024-50623—which allows unauthenticated remote code execution—Huntress security researchers have recreated the proof of concept and learned the patch does not mitigate the software flaw.

‍TL;DR - This vulnerability is being actively exploited in the wild and fully patched systems running 5.8.0.21 are still exploitable. We strongly recommend you move any internet-exposed Cleo systems behind a firewall until a new patch is released.

Based on our analysis, all versions prior to and including 5.8.0.21 are vulnerable:

• Cleo Harmony® (5.8.0.21)
• Cleo VLTrader® (5.8.0.21)
• Cleo LexiCom® (5.8.0.21)

Our team is working to reach the Cleo team to report our findings and develop a new patch to fully mitigate exploitation. This blog will be frequently updated as more details emerge.

Tradecraft We Observed

The three software solutions Harmony, VLTrader, and LexiCom are often installed in the root of the filesystem, as the suggested default in their installation process:

C:\LexiCom

C:\VLTrader

C:\Harmony

We have also observed installation folders in the typical [.highlight]C:\Program Files (x86)[.highlight] directory. Inside the installation folder are numerous subdirectories, with some more pertinent to the tradecraft than others:

[.highlight]logs\[.highlight]

[.highlight]host\[.highlight]

[.highlight]autorun\[.highlight]

(etc.)

As an example, we would find logs in a full path: [.highlight]C:\LexiCom\logs\LexiCom.xml[.highlight]. Below is a record of the logs following threat actor exploitation:

There are multiple things to note in this log snippet:

1. The first artifact of the attack chain is [.highlight]autorun\healthchecktemplate.txt[.highlight].
   
   Autorun files are immediately read, interpreted, and evaluated by LexiCom, Harmony, and VLTrader. We believe this is one of multiple files dropped onto the filesystem via the arbitrary file-write vulnerability. Files placed in the [.highlight]autorun[.highlight] folder are immediately deleted following their processing. Note: We have also seen [.highlight]autorun\healthcheck.txt[.highlight] used as well.
   ‍
2. A “Warning” on the second entry indicates this instance is running version 5.8.0.0, which is the unpatched version. Our proof of concept, which we will discuss below, successfully exploits version 5.8.0.21.
   
   
3. The [.highlight]healthchecktemplate.txt[.highlight] autorun looks to invoke “Import” functionality, which is native and natural functionality of the Cleo software.
   
   The Import process reads in from a local file on disk. In this case, it loads [.highlight]temp\LexiCom6836057879780436035.tmp,[.highlight] which we believe to be a second file dropped via the arbitrary file-write vulnerability. This .tmp file is actually a .ZIP file, containing a subdirectory [.highlight]hosts[.highlight] with an inner [.highlight]mail.xml[.highlight] file, as you see imported.
   
   The [.highlight]main.xml[.highlight] file observed from in-the-wild exploitation contains:

Note the specific (and mischievous) date and timestamps: 2020/10/10 00:00:00 😉

This [.highlight]main.xml[.highlight] file stages a new autorun with an action (presumably built out to be [.highlight]healthcheck.txt[.highlight]) to invoke a PowerShell command and gain code execution. Unfortunately, the [.highlight]healthchecktemplate.txt[.highlight] and [.highlight]healthcheck.txt[.highlight] files placed in the autoruns subdirectory were automatically deleted and we do not yet know their contents.

‍

The decoded PowerShell command has been observed with this structure:

This process reaches out to an external IP address to retrieve new JAR files for continued post-exploitation. These JAR files contain webshell-like functionality for persistence on the endpoint. 

We observed attackers later deleting these JAR files post-execution in order to prolong their attacks and stay relatively stealthy.

Also within the same logs folder, there may be a LexiCom.dbg log file. It will also contain information about any malicious autoruns files that have been processed, like so:‍

[timestamp] LexiCom.syncer [redacted] Request In <<< Multipart:
 VLSync:SentReceipt;service=AS2;path="autorun/healthchecktemplate.txt"

For further post-exploitation, the threat actors were observed enumerating potential Active Directory assets with domain reconnaissance tools like nltest.exe.

Huntress EDR depicts this child-parent process relationship like so:

‍

Observed IP addresses for callbacks

[.highlight]176.123.5.126[.highlight] - AS 200019 (AlexHost SRL) - Moldova 

[.highlight]5.149.249.226[.highlight] - AS 59711 (HZ Hosting Ltd) - Netherlands 

[.highlight]185.181.230.103[.highlight] - AS 60602 (Inovare-Prim SRL) - Moldova

[.highlight]209.127.12.38[.highlight] - AS 55286 (SERVER-MANIA / B2 Net Solutions Inc) - Canada

[.highlight]181.214.147.164[.highlight] - AS 15440 (UAB Baltnetos komunikacijos) - Lithuania‍

[.highlight]192.119.99.42[.highlight]  - AS 54290 (HOSTWINDS LLC) - United States

‍

Targets Exploited

From our telemetry, we’ve discovered at least 10 businesses whose Cleo servers were compromised with a notable uptick in exploitation observed on December 8 around 07:00 UTC.  After some initial analysis, however, we have found evidence of exploitation as early as December 3. 

The majority of customers that we saw compromised deal with consumer products, food industry, trucking, and shipping industries. There are still several other companies outside of our immediate view who are potentially compromised as well.

‍

The Huntress Proof of Concept

Huntress communicated with Cleo on December 9 after creating our proof of concept. Over a Zoom call, they confirmed our understanding and the recreation of the attack chain. 

Principal Security Researcher Caleb Stewart crafted a Python script that leverages the arbitrary file-write primitive to place files inside the [.highlight]autoruns[.highlight] subdirectory and prove its execution. This was tested successfully against LexiCom as well as VLTrader with both versions 5.8.0.0 and patched version 5.8.0.21.

At the time of writing, Cleo is preparing a new CVE designation and expects a new patch to be released mid-week. 

‍

How to Stay Protected

At the time of writing, the 5.8.0.21 patched versions are insufficient against the exploit we are seeing in the wild. Speaking over a Zoom call, Cleo expressed that they will have a new patch available as soon as possible.

In the interim, we have suggested mitigations in an attempt to limit the attack surface. Knowing that the latter half of this attack path relies on code execution via the [.highlight]autoruns[.highlight] directory, it is possible to reconfigure Cleo software to disable this feature. However, this will not prevent the arbitrary file-write vulnerability until a patch is released.

1. Got to the “Configure” menu of LexiCom, Harmony, or VLTrader
2. Select “Options” 
3. Navigate to the “Other” pane
4. Delete the contents of the “Autorun Directory” field

This will remove the ability to process Autorun files. Please apply your own risk and threat model here -- your mileage may vary if you know that you use this feature in production.

‍

If you are not a Huntress partner, review the [.highlight]hosts[.highlight] subdirectory in your software installation directory to determine if you have been affected. The presence of a [.highlight]main.xml[.highlight] or a [.highlight]60282967-dc91-40ef-a34c-38e992509c2c.xml[.highlight] file (a name that looks to be reused across infections) with an embedded PowerShell-encoded command is a definitive indicator of compromise. 

‍

How Huntress Has Responded 

We are actively detecting and neutralizing activity related to the exploit. To do so, we have taken a three-pronged approach to effectively detect, investigate, and respond to the threat.  

Huntress SOC analysts Austin Worline, Chad Hudson, Jai Minton, andTanner Filip created detections specifically conjured to hone in on and detect the activity triggered by the range of compromised Cleo products.  

‍

In tandem, Huntress analyst Amelia Casley generated an internal investigation guide to ensure that the global Huntress SOC team could triage this emerging threat in a scalable and consistent way to keep our community secure. This guide included a reusable CyberChef recipe to analyze the encoded PowerShell adversaries were deploying. 

‍

Furthermore, Huntress neutralized this threat where it appeared on endpoints by leveraging the IP Blocking feature in Huntress Managed EDR. IP blocking adds a degree of cost to a threat actor, requiring them to rotate their infrastructure in order to reattempt a compromise. Once completed, we shared a detailed report with any impacted partners and customers. 

‍

Appendix A: 

Sigma rules

• ‍Possible Cleo MFT Exploitation 2024‍
• Javaw Spawning Suspicious PowerShell 

‍

Appendix B:

Indicators of Compromise (IOCs)

‍

Acknowledgments

‍Special thanks to Jai Minton, Tanner Filip, Dray Agha, Austin Worline, Chad Hudson, Amelia Casley, Jamie Levy, John Hammond, Caleb Stewart, Matt Kiely, Matt Anderson, and others for their tireless efforts and contributions to this investigation and writeup.

‍