Cleo urges customers to ‘immediately’ apply new patch as researchers discover new malware

Software company Cleo urged customers on Thursday to immediately apply a new patch for a vulnerability already being used by cybercriminals to breach organizations. 

The vulnerability affects the company’s popular file sharing products Cleo Harmony, VLTrader and LexiCom that are used by dozens of large companies. 

The bug was initially tagged as CVE-2024-50623 in October and patched by the company, but researchers from cybersecurity firm Huntress discovered that systems were still vulnerable even after applying the fix. 

A Cleo spokesperson told Recorded Future News that the company released a new patch to resolve the issue on Wednesday night. A new CVE is being generated for the issue. 

“Cleo continues to work proactively to support customers and has extended enhanced 24/7 customer support services to those needing additional technical assistance in addressing this vulnerability,” the spokesperson said. 

“Promptly upon discovering the vulnerability, Cleo launched an investigation with the assistance of outside cybersecurity experts, notified customers of the issue and provided instructions on immediate actions customers should take to address the vulnerability. Cleo’s investigation is ongoing.”

In addition to applying the patch, Cleo has said in a private advisory that customers should block a set of IP addresses seen exploiting the bug. 

Cleo Harmony and VLTrader are used to send large amounts of data and are built for more enterprise-level file sharing needs, while LexiCom is a lighter solution oftentimes used for smaller organizations. 

John Hammond, principal security researcher at Huntress, told Recorded Future News that the number of compromised partners or hosts under their company’s purview has grown to 24 since the bug emerged. The affected organizations are mostly in consumer products, shipping and retail supply industries, he said. 

He added that it now appears that the faulty patch and the current vulnerability being exploited may be separate issues, noting that there are confirmed compromised organizations that have patched to the latest version.

In their incident response interactions, Hammond said they have discovered a new malware family they named Malichus that is being deployed by hackers exploiting the Cleo bug. 

From their investigations and from the malware, Hammond said it is clear the attackers are a sophisticated group of threat actors who had intimate knowledge of the Cleo software and deployed a difficult and clever attack.

Hammond noted that Blue Yonder, a software company hit with a pre-Thanksgiving ransomware attack that impacted dozens of downstream retailers like Starbucks, had an instance of Cleo software open to the internet. 

The Termite ransomware gang took credit for the attack on Blue Yonder and several cybersecurity experts have said the Cleo vulnerability is being exploited by the same gang. 

Cybersecurity firm Arctic Wolf Labs said it observed a mass exploitation campaign starting on December 7 that used Cleo Managed File Transfer products for initial access. Experts at Watchtowr said they have also seen ransomware gangs exploiting the vulnerability. 

According to Hammond, there have been rumblings that Termite may have some connection to Clop, a ransomware gang that drew international outrage for several global campaigns stealing data through bugs in popular file sharing tools like MOVEit, GoAnywhere and Accellion.

“There is some data that seems to support this as Clop’s activities have waned while Termite's activities have increased,” Hammond theorized. “They are also operating in some similar fashions. We're not really in the attribution game, but it wouldn't be surprising at all if we are seeing a shift in these ransomware gangs at the moment.”

A search on the cybersecurity tool Shodan showed that about 160 Cleo endpoints are still vulnerable, according to Hammond, who noted that the number of compromised organizations Huntress monitors has more than doubled since the start of the week. 

“From what we have observed in the wild, the activity thus far has been just obtaining initial access, establishing persistence with their malware payload and C2 communication, and then beginning enumeration of the rest of the environment,” Hammond said. 

“We've seen no indication of ransomware or explicit data theft yet, but thankfully the industry has caught up to this threat quick enough we may never know the true goal of the campaign — we caught this before it became something more.”

Christiaan Beek, senior director of threat analytics at cybersecurity firm Rapid7, said they have analyzed the same malware sample as Huntress and came to similar conclusions, finding that the attacks “are consistent with typical reconnaissance behavior.” 

“As such, they are too generic to suggest the involvement of any specific threat group,” Beek said. 

Cybersecurity experts with Sophos wrote on social media that all observed impacted customers “have a branch or operate within the North Americas, primarily the US.” 

“We note the majority of observed affected customers are retail organizations,” Sophos said. 

Scott Algeier, executive director of the food and agriculture information sharing and analysis center, said they are monitoring the Cleo situation closely and are working with their members to provide intelligence as well as mitigation guidance to help secure them. 

“While some enterprises in the food sector, among other industries, could be impacted by this vulnerability, we have not observed indications of wide-scale disruptions within the supply chain at this time," Algeier said.