Cleo Vulnerabilities Targeted by Cl0p Ransomware

Type

Campaign

Actors

Cl0p

Pub. date

December 15, 2024

Initial access

0-day vulnerability1-day vulnerability

Impact

RansomOp

Observed techniques

Vulnerability exploitation Valid creds abuse OverPass-The-Hash

Observed tools

Cl0p ransomware Cobalt Strike

Targeted technologies

Cleo file transfer software

References

https://www.bleepingcomputer.com/news/security/clop-ransomware-claims-responsibility-for-cleo-data-theft-attacks/https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wildhttps://www.rapid7.com/blog/post/2024/12/10/etr-widespread-exploitation-of-cleo-file-transfer-software-cve-2024-50623/

Status

Finalized

Last edited

Dec 16, 2024 2:42 PM

Two critical vulnerabilities in Cleo file transfer software—CVE-2024-50623 and CVE-2024-55956—have been actively exploited, leading to unauthorized data access and system compromise. The Clop ransomware gang has claimed responsibility for these attacks, leveraging zero-day exploits to breach networks, steal data, and deploy ransomware. Despite patches released by Cleo, the initial fix for CVE-2024-50623 was incomplete, leaving systems vulnerable. Exploitation of these vulnerabilities involved uploading malicious files, installing backdoors, and executing commands, enabling lateral movement and data exfiltration.

CVE-2024-50623 was initially identified as a cross-site scripting vulnerability (CWE-79) but was later revised to an unrestricted file upload vulnerability (CWE-434), allowing remote code execution via malicious file uploads. This flaw affected Cleo Harmony, VLTrader, and LexiCom versions prior to 5.8.0.21. Despite Cleo releasing a patch in October 2024, threat actors bypassed the fix, exploiting the vulnerability to upload Java-based backdoors. These backdoors enabled attackers to execute arbitrary commands, steal sensitive data, and escalate privileges within compromised networks, leaving organizations vulnerable to further attacks.

CVE-2024-55956, a separate critical vulnerability, allowed unauthenticated users to execute arbitrary bash or PowerShell commands through default Autorun directory settings. This vulnerability impacted Cleo Harmony, VLTrader, and LexiCom versions prior to 5.8.0.24. Following exploitation, attackers conducted reconnaissance using enumeration commands such as systeminfo and whoami. They deployed a Java-based RAT to launch PowerShell instances, which functioned as shellcode loaders. The PowerShell scripts decrypted and executed shellcode, ultimately downloading and running a 64-bit Cobalt Strike beacon DLL. Advanced attack techniques, including OverPass-The-Hash, were observed, allowing attackers to leverage NTLM hashes to obtain Kerberos tickets and escalate privileges within networks.

The Clop ransomware gang has claimed responsibility for these attacks, continuing their trend of targeting secure file transfer systems. Clop exploited both vulnerabilities, employing tactics similar to their previous campaigns. Their operation involved stealing sensitive data and deploying ransomware to encrypt devices across corporate networks.