Press ESC to close

Cleo Software Actively Being Exploited in the Wild | Huntress

Category Details
Threat Actors Not explicitly named, utilizing Cleo software vulnerabilities for exploitation.
Campaign Overview Exploiting CVE-2024-50623 in Cleo Harmony, VLTrader, and LexiCom software for remote code execution.
Target Regions Companies in consumer products, food, trucking, and shipping industries.
Methodology Exploitation of arbitrary file-write vulnerability and execution via autorun directory.
Product Targeted Cleo Harmony (5.8.0.21), VLTrader (5.8.0.21), LexiCom (5.8.0.21).
Malware Reference Encoded PowerShell commands, malicious autorun files (e.g., healthchecktemplate.txt).
Tools Used PowerShell, domain reconnaissance tools (e.g., nltest.exe), custom JAR files.
Vulnerabilities Exploited CVE-2024-50623, arbitrary file-write vulnerability.
TTPs File-write to autorun directory, execution of malicious PowerShell commands, external IP callbacks, post-exploitation cleanup.
Attribution No direct attribution; infrastructure linked to multiple hosting providers in Moldova, Netherlands, Canada, and the U.S.
Recommendations – Move Cleo systems behind a firewall.
– Disable autorun directory processing.
– Monitor for IOCs like 60282967-dc91-40ef-a34c-38e992509c2c.xml.
Source Huntress 

Read full article:https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild

Disclaimer: The above summary has been generated by an AI language model

Source: Huntress

Published on: December 9, 2024

Leave a Reply

Your email address will not be published. Required fields are marked *