Penelope Iroko Table of Contents
Cybersecurity experts have revealed a major security flaw in Cleo’s file transfer tools that has been actively exploited by a new ransomware group known as Termite.
This Cleo vulnerability exploitation has impacted numerous organizations, leaving them vulnerable to data theft and ransomware attacks.
Key Takeaway:
- The Cleo vulnerability exploitation highlights the critical importance of patching software promptly to avoid severe data breaches.
What Happened?
On December 3, reports emerged of a vulnerability in Cleo’s Harmony, VLTrader, and LexiCom products being exploited in the wild. The flaw, identified as CVE-2024-50623, allows unauthorized file uploads and remote code execution.
While Cleo attempted to fix the issue with an update in October, cybersecurity firm Huntress found the patch insufficient. As a result, attackers have targeted nearly 1,700 servers, with over 10 businesses confirmed as victims.
Data at Risk:
| Type of Data | Details |
|---|---|
| Sensitive Customer Data | Client records, financial data |
| Internal Business Data | Proprietary information, operational documents |
| Server Access | Reverse shell establishment attempts |
Who Is Behind the Attacks?
The Termite ransomware group has been identified as a key threat actor in this campaign. Termite first gained attention after targeting supply chain software company Blue Yonder, affecting high-profile clients like Starbucks.
In this case, attackers reportedly stole 680 GB of data, signaling their focus on large-scale data theft.
Real-Life Parallel:
This incident is reminiscent of the MOVEit hack by the Cl0p ransomware group earlier this year. That breach exposed sensitive data from thousands of organizations, including governments and private firms.
Industries and Regions Affected
Huntress and other cybersecurity firms, such as Rapid7 and Sophos, have observed widespread attacks across various industries:
| Industry | Details |
| Retail | U.S.-based companies primarily affected |
| Consumer Products | Food, trucking, and shipping sectors targeted |
| Supply Chain Management | Key players like Blue Yonder directly impacted |
Censys also reported that nearly 1,300 Harmony, VLTrader, and LexiCom servers remain publicly exposed, with 80% located in the United States.
Cleo’s Response to the Exploitation
In a public advisory issued on December 5, Cleo announced plans to release a fully patched update, version 5.8.0.23, addressing the vulnerability.
The company also disclosed that attackers exploited the default settings of its Autorun directory to execute malicious commands, such as reverse shell setups.
Registered users can access detailed remediation guidance through Cleo’s private advisory.
Steps Taken by Cleo:
- Improved Patch Development: A new CVE identifier and fixes are underway.
- Transparency: Advisory notices issued to customers and regulatory bodies.
- Customer Support: Guidance for securing affected systems shared with users.
How to Protect Your Organization
If your company uses Cleo products, follow these steps to safeguard your data:
| Action | Details |
| Apply Updates Immediately | Install Cleo’s latest patch (version 5.8.0.23) as soon as it’s released. |
| Monitor Server Activity | Check for suspicious uploads or shell connections. |
| Limit Public Exposure | Restrict internet access for file transfer tools. |
| Partner with Cyber Experts | Engage cybersecurity firms like Huntress for detailed threat analysis. |
Rounding Up
The Cleo vulnerability exploitation underscores the persistent risks posed by insufficiently patched software. With the Termite ransomware group actively exploiting this flaw, affected organizations must act quickly to protect their systems.
By implementing security patches, monitoring systems, and restricting server exposure, companies can reduce the likelihood of severe data breaches.
About Cleo
Cleo specializes in enterprise-grade data movement and integration solutions, serving over 4,000 global clients. Their flagship products, Harmony, VLTrader, and LexiCom, are widely used in industries like logistics, retail, and manufacturing. Learn more about Cleo’s offerings on their official website.
FAQs
1. What is the Cleo vulnerability exploitation? The exploitation involves unauthorized access to Cleo’s file transfer tools, enabling attackers to execute malicious code and steal data.
2. Who is the Termite ransomware group? Termite is a newly identified ransomware group linked to attacks on supply chain software and high-profile clients like Starbucks.
3. How can I protect my business from these attacks? Apply all patches from Cleo, monitor system activity, and restrict public exposure of servers.
4. Has Cleo fully fixed the vulnerability? Cleo plans to release an updated version (5.8.0.23) addressing the issue, but vigilance is advised until it is widely deployed.
5. Are there parallels to other incidents? Yes, this breach is similar to the MOVEit hack by Cl0p, which affected thousands of organizations earlier this year.
