| Category | Details |
|---|---|
| Threat Actors | Termite, Cl0p ransomware group |
| Campaign Overview | Exploitation of Cleo file transfer software vulnerabilities (CVE-2024-50623, CVE-2024-55956), leading to data theft and ransomware attacks. |
| Target Regions | Primarily North America, particularly the United States |
| Methodology | Exploitation of vulnerabilities in Cleo Harmony, VLTrader, and LexiCom software to upload Java backdoors, enabling data theft and further network infiltration. |
| Products Targeted | Cleo Harmony, VLTrader, LexiCom (versions before 5.8.0.24) |
| Malware Reference | Malichus (Java-based malware used for post-exploitation activities like data theft, command execution, and lateral movement) |
| Tools Used | Java backdoors, encoded PowerShell scripts |
| Vulnerabilities Exploited | CVE-2024-50623 (CVSS 8.8, unrestricted file access, RCE) and CVE-2024-55956 (CVSS 9.8, similar exploitation path) |
| TTPs | Use of vulnerable endpoints for file upload and execution, creating reverse shells, reconnaissance, and post-exploitation activities for data theft. |
| Attribution | Termite (initially suspected); Cl0p (confirmed via statements on their leak site). |
| Recommendations | Update Cleo products to version 5.8.0.24, disable Autorun directory, remove public-facing Cleo servers, improve firewall settings, and monitor for IOCs. |
| Source | SOCRadar |
Read full article: https://socradar.io/cleo-file-transfer-vulnerabilities-cl0ps-attack-vector/
The above summary has been generated by an AI language model
Leave a Reply