| Attribute | Details |
|---|---|
| Threat Actors | Termite ransomware group (potentially linked to Cl0p/Lace Tempest) |
| Campaign Overview | Mass exploitation of a vulnerability in Cleo file transfer software, leading to remote code execution and ransomware deployment |
| Target Regions | Primarily the U.S. (79% of exposed servers), with additional incidents in Canada, Mexico, Ireland, and Germany |
| Methodology | Unauthenticated remote code execution via unrestricted file uploads, leveraging autorun directories for exploitation |
| Product Targeted | Cleo Harmony, VLTrader, LexiCom (versions up to 5.8.0.23) |
| Malware Reference | Modified Babuk ransomware, adding the .termite extension |
| Tools Used | PowerShell commands, JAR files, autorun directories for execution, zero-day exploits |
| Vulnerabilities Exploited | CVE-2024-50623 (unrestricted file upload vulnerability) |
| TTPs | Dropping files via autorun directory, exploitation via exposed servers, ransomware encryption |
| Attribution | Attribution linked to Termite ransomware group, potentially a successor or rebranding of Cl0p |
| Recommendations | Update software, remove instances from public exposure, monitor Cleo’s security updates, and implement immediate mitigation steps |
| Source | The Hackers News |
Read full article:https://thehackernews.com/2024/12/cleo-file-transfer-vulnerability-under.html
Disclaimer: The above summary has been generated by an AI language model
Leave a Reply