| Category | Details |
|---|---|
| Threat Actors | Not explicitly identified but linked to adversaries exploiting RCE vulnerabilities in Cleo software solutions. |
| Campaign Overview | Active exploitation of CVE-2024-50623 in Cleo Harmony, VLTrader, and LexiCom file transfer products, affecting several industries such as consumer products, food, trucking, and shipping. |
| Target Regions | Global, with at least ten compromised businesses observed and over 100 vulnerable Cleo product instances exposed to the internet. |
| Methodology | Exploitation of an Arbitrary File Write vulnerability (CVE-2024-50623) to achieve Remote Code Execution (RCE) via autoruns functionality. |
| Product Targeted | Cleo Harmony, VLTrader, and LexiCom file transfer products (versions up to 5.8.0.21). |
| Malware Reference | None explicitly mentioned; focus is on vulnerability exploitation rather than specific malware. |
| Tools Used | Shodan for identifying vulnerable systems; CTI-enriched detection rules and advanced threat detection solutions like SOC Prime Platform for proactive defense. |
| Vulnerabilities Exploited | CVE-2024-50623 (Arbitrary File Write vulnerability). |
| TTPs | - Exploitation of improperly patched vulnerabilities. - Persistence on compromised systems. - Reconnaissance and stealthy post-exploitation activities. |
| Attribution | Not attributed to a specific nation-state or group, but exploitation is ongoing and widespread. |
| Recommendations | - Reconfigure Cleo software to disable autoruns functionality temporarily. - Apply updated patches once released. - Use CTI-enriched detection rules for proactive threat detection and hunting. |
| Source | SOCPrime |
Read full article: https://socprime.com/blog/cve-2024-50623-vulnerability-detection/
The above summary has been generated by an AI language model
Leave a Reply