CISA warns of ransomware gangs exploiting Cleo, CyberPanel bugs

Two recently disclosed vulnerabilities are being used by ransomware gangs to attack organizations across the U.S., according to the nation’s top cybersecurity agency. 

Over the last two weeks, the Cybersecurity and Infrastructure Security Agency (CISA) has taken the rare step of confirming that ransomware actors are exploiting specific bugs, ordering government agencies to urgently patch the two vulnerabilities as soon as possible. 

On Friday, CISA said federal civilian agencies have until January 3 to patch CVE-2024-50623 — a vulnerability that has caused alarm among cybersecurity experts this week because of its impact on a widely used file-sharing product from software company Cleo. 

The bug affects three file-sharing products: Cleo Harmony, VLTrader and LexiCom. Cleo Harmony and VLTrader are used to send large amounts of data and are built for more enterprise-level file sharing needs, while LexiCom is a lighter solution oftentimes used by smaller organizations to send files.

Cybersecurity companies have since reported dozens of customers being breached through the vulnerability, which was originally patched by Cleo in October. Researchers discovered last week that the patch was ineffective and hackers — some of whom are allegedly part of the Termite ransomware gang — have been exploiting it since December 7. 

Researchers discovered a new family of malware being used in attacks, which have mostly affected victims in the consumer products, shipping and retail supply industries, according to several incident responders. 

The addition of the Cleo vulnerability comes nine days after CISA added another bug to its catalog of exploited vulnerabilities that it said ransomware gangs were exploiting. 

CISA ordered federal civilian agencies to patch CVE-2024-51378, which affects a product from software company CyberPanel, by Christmas Day. 

CyberPanel products allow people to manage websites, domains, email, and other hosting features on a Linux server. Organizations typically use CyberPanel for web hosting management, email management, database management and WordPress hosting, according to researchers. 

Malicious actors were able to infect several CyberPanel instances, experts warned, after a technical write-up about the vulnerability was released in late October. 

Scott Caveza, staff research engineer at Tenable, said a GitHub repo indicates that at least three ransomware variants have been found on infected CyberPanel instances: a variant of the Babuk ransomware, a Cerber ransomware variant and the PSAUX ransomware. 

BleepingComputer reported in October that more than 22,000 CyberPanel instances were targeted in a PSAUX ransomware attack, shutting down nearly all of them. 

Mike Walters, co-founder of cybersecurity firm Action1, told Recorded Future that PSAUX ransomware actors have been targeting web servers through vulnerabilities like the one affecting CyberPanel since emerging in June, and urged CyberPanel users to update to the latest version available on GitHub as soon as possible.

CISA said it would begin adding information about whether ransomware gangs are exploiting a vulnerability public through its catalog in October 2023.Previously, it had shared the data with organizations through its Ransomware Vulnerability Warning Pilot Program (RVWP). The addition was intended to serve as another reason for federal civilian agencies and other organizations to be proactive about patching vulnerabilities. 

Nonetheless, the information has seldom been provided. On the forms describing vulnerabilities, the  “Known To Be Used in Ransomware Campaigns?” tab has been left an “unknown” outside of a few rare cases.

The addition of two bugs acknowledged as exploited by ransomware actors was notable to cybersecurity experts. 

“While it’s not often that CISA KEV vulnerabilities are flagged as being attributed to ransomware groups, in this case, there is sufficient evidence to suggest that multiple opportunistic attackers targeted this vulnerability with multiple ransomware strains,” Caveza said of the CyberPanel bug.