Category | Details |
---|---|
Threat Actors | Not explicitly named, utilizing Cleo software vulnerabilities for exploitation. |
Campaign Overview | Exploiting CVE-2024-50623 in Cleo Harmony, VLTrader, and LexiCom software for remote code execution. |
Target Regions | Companies in consumer products, food, trucking, and shipping industries. |
Methodology | Exploitation of arbitrary file-write vulnerability and execution via autorun directory. |
Product Targeted | Cleo Harmony (5.8.0.21), VLTrader (5.8.0.21), LexiCom (5.8.0.21). |
Malware Reference | Encoded PowerShell commands, malicious autorun files (e.g., healthchecktemplate.txt ). |
Tools Used | PowerShell, domain reconnaissance tools (e.g., nltest.exe ), custom JAR files. |
Vulnerabilities Exploited | CVE-2024-50623, arbitrary file-write vulnerability. |
TTPs | File-write to autorun directory, execution of malicious PowerShell commands, external IP callbacks, post-exploitation cleanup. |
Attribution | No direct attribution; infrastructure linked to multiple hosting providers in Moldova, Netherlands, Canada, and the U.S. |
Recommendations | – Move Cleo systems behind a firewall. – Disable autorun directory processing. – Monitor for IOCs like 60282967-dc91-40ef-a34c-38e992509c2c.xml . |
Source | Huntress |
Read full article:https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
Disclaimer: The above summary has been generated by an AI language model
Leave a Reply