Security researchers have warned about in-the-wild attacks that exploit a remote code execution vulnerability in managed file transfer (MFT) solutions developed by enterprise software vendor Cleo Communications.The impacted products include the latest versions of Cleo LexiCom, Cleo VLTrader and Cleo Harmony, with experts advising to temporarily disconnect these systems from the internet until a patch is available.The first company to report the attacks was managed EDR firm Huntress who detected the exploits in some of its customers’ systems. The affected systems used an older version of Cleo software that is vulnerable to a flaw patched in October, but the Huntress researchers determined that the patch is insufficient and even up to date product versions are vulnerable.”From our telemetry, we’ve discovered at least 10 businesses whose Cleo servers were compromised with a notable uptick in exploitation observed on December 8 around 07:00 UTC,” the Huntress team said in its report. “After some initial analysis, however, we have found evidence of exploitation as early as December 3.”Researchers from vulnerability management firm Rapid7 confirmed Huntress’ findings and are also investigating signs of successful exploitation in some of its customers’ environments. Attackers are leveraging the flaw to write malicious files in specific locations on the server which then get automatically executed by the software. On 24 October, Cleo published a security advisory about an unrestricted file upload and downloadvulnerability tracked as CVE-2024-50623 that could be used to achieve remote code execution. The vendor advised users to upgrade Harmony, VLTrader and LexiCom to version 5.8.0.21 to mitigate the flaw.However, according to Huntress, the patch does not address all attack paths and can still be exploited on version 5.8.0.21. The researchers created a proof-of-concept exploit that they’ve shared with Cleo which confirmed the issue and is working on a new patch and updated versions. According to a new advisory for which a CVE number has not yet been assigned, the fix will be in version 5.8.0.23.
Abusing the autorun feature
Huntress believes one of the exploits is the file upload vulnerability to drop a file called healthchecktemplate.txt in a subdirectory called autorun from the application’s folder. Files present in the folder are automatically processed by the Cleo applications.Upon inspection, this rogue file invokes the native Import function of the Cleo software to process another file dropped in the temp folder on disk and called LexiCom6836057879780436035.tmp (name might vary between exploits).Despite its .tmp extension, this file is actually a ZIP archive that contains a subdirectory called hosts with a file called mail.xml. The .xml file acts as a configuration file for what appears to be a feature to create a new mailbox connection in the Cleo software. When imported, this file will execute commands stored in its <Commands> declaration, in this case a malicious PowerShell command.”This process reaches out to an external IP address to retrieve new JAR files for continued post-exploitation,” the researchers said. “These JAR files contain webshell-like functionality for persistence on the endpoint. We observed attackers later deleting these JAR files post-execution in order to prolong their attacks and stay relatively stealthy.” The researchers noted that some files had already been deleted by the attackers before they could be recovered for analysis, but a log file called LexiCom.dbg will contain traces about the autorun files that have been executed. The attackers were also seen performing Active Directory reconnaissance by using nltest.exe, a command-line tool present on Windows Servers and used to enumerate domain controllers.
Mitigate by isolating servers
One possible mitigation until a patch is available is to disable the Autorun directory feature in the Cleo software configuration. According to Huntress, this can be done by going to the “Configure” menu of the software, selecting “Options” and navigating to the “Other” pane where the contents of the “Autorun Directory” field should be removed.However, this will not prevent the exploitation of the arbitrary file upload vulnerability, so the best approach, according to Rapid7, is to isolate servers with the affected software from the internet or put a firewall in front of them.Security teams should also investigate their Cleo servers for traces of this exploit by inspecting the log file or looking for the presence of a main.xml or a 60282967-dc91-40ef-a34c-38e992509c2c.xml file with embedded PowerShell commands.This latest attack against Cleo products highlights that enterprise managed file transfer (MFT) solutions continue to be an attractive target for attackers. Ransomware groups have previously exploited vulnerabilities in the Accellion File Transfer Appliance (FTA) devices in 2020 and 2021, Fortra/Linoma GoAnywhere MFT servers in early 2023 and MOVEit Transfer deployments in May 2023.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3621746/attackers-exploit-zero-day-rce-flaw-in-cleo-managed-file-transfer.html
