The cybersecurity community is on high alert as the 'Termite' ransomware group emerges as a potential perpetrator behind a series of attacks targeting Cleo's file transfer software. Recent evidence suggests that this notorious group, which also claimed responsibility for a high-profile breach at Blue Yonder, has initiated exploit activities on a known vulnerability affecting Cleo’s LexiCom, VLTransfer, and Harmony applications.
Researchers from Huntress Labs reported that the attacks began on December 3, claiming at least ten victims across various sectors, including consumer products, shipping, and food. "Our data indicates that the actual number of organizations affected could be significantly higher," the security firm stated. The vulnerabilities in Cleo's software present a severe risk, particularly given that it is used by over 4,200 customers in industries such as logistics and manufacturing.
"Our data indicates that the actual number of organizations affected could be significantly higher,"
The vulnerability in question, identified as CVE-2024-50623, is an unauthenticated remote code execution flaw in versions of Cleo's software prior to 5.8.0.21. In October, Cleo issued an alert urging users to upgrade to the patched version. However, Huntress's findings indicate that even systems updated to version 5.8.0.21 remain susceptible, posing a dire threat to operations.
"This vulnerability is being actively exploited in the wild and fully patched systems running 5.8.0.21 are still exploitable," said John Hammond, a researcher at Huntress. The urgency of the situation necessitates immediate action: "We strongly recommend you move any Internet-exposed Cleo systems behind a firewall until a new patch is released."
In response to the growing concerns, Cleo is actively working on a new patch. A representative for the company characterized the existing flaw as critical. "Our investigation is ongoing. Customers are encouraged to check Cleo's security bulletin webpage regularly for updates," the spokesperson stated.
Hammond shed light on the tactics employed by the attackers post-exploitation. According to him, the threat actor deployed a Web shell-like functionality for establishing persistence within compromised systems. They also utilized domain reconnaissance tools to enumerate potential Active Directory assets.
Championship Implications
Championship Implications
Championship Implications
Highlighting the association with Termite, Jamie Levy, the director of adversary tactics at Huntress, commented, "The evidence we have strongly points to Termite as the likely perpetrator of these ongoing attacks." This connection is further reinforced by the nature of previous incidents, such as the one at Blue Yonder, where similar vulnerabilities were exploited due to Cleo’s software being inadvertently exposed to the Internet.
As organizations scramble to protect themselves from potential threats, Rapid7 acknowledges the ongoing risk associated with file transfer applications. The cybersecurity firm urged affected organizations to take "emergency action" in light of these developments. "File transfer software continues to be a target for adversaries, and for financially motivated threat actors in particular," they noted in a recent blog post.
"emergency action"
The implications of these attacks reach beyond immediate cybersecurity concerns; they could significantly disrupt operations in the affected industries, which rely heavily on Cleo’s software for secure data handling. Well-known companies such as Starbucks, Brother, and New Balance are among those at risk.
The prevalence of this type of ransomware attack highlights the critical need for businesses to regularly assess their cybersecurity protocols and software vulnerabilities. As Cleo works towards a more permanent resolution, organizations utilizing their software must remain vigilant and proactive. The landscape of cybersecurity threats is rapidly evolving, making it essential for companies to adapt swiftly to safeguard their data and infrastructure.
In conclusion, as the situation unfolds, the urgency for organizations to implement robust cybersecurity measures has never been clearer. Further updates from Cleo regarding the new patch, coupled with continued vigilance from affected organizations, will be crucial in mitigating the ongoing risks posed by the 'Termite' ransomware group.