Category | Details |
---|---|
Threat Actors | Termite, Cl0p ransomware group |
Campaign Overview | Exploitation of Cleo file transfer software vulnerabilities (CVE-2024-50623, CVE-2024-55956), leading to data theft and ransomware attacks. |
Target Regions | Primarily North America, particularly the United States |
Methodology | Exploitation of vulnerabilities in Cleo Harmony, VLTrader, and LexiCom software to upload Java backdoors, enabling data theft and further network infiltration. |
Products Targeted | Cleo Harmony, VLTrader, LexiCom (versions before 5.8.0.24) |
Malware Reference | Malichus (Java-based malware used for post-exploitation activities like data theft, command execution, and lateral movement) |
Tools Used | Java backdoors, encoded PowerShell scripts |
Vulnerabilities Exploited | CVE-2024-50623 (CVSS 8.8, unrestricted file access, RCE) and CVE-2024-55956 (CVSS 9.8, similar exploitation path) |
TTPs | Use of vulnerable endpoints for file upload and execution, creating reverse shells, reconnaissance, and post-exploitation activities for data theft. |
Attribution | Termite (initially suspected); Cl0p (confirmed via statements on their leak site). |
Recommendations | Update Cleo products to version 5.8.0.24, disable Autorun directory, remove public-facing Cleo servers, improve firewall settings, and monitor for IOCs. |
Source | SOCRadar |
Read full article: https://socradar.io/cleo-file-transfer-vulnerabilities-cl0ps-attack-vector/
The above summary has been generated by an AI language model
Leave a Reply