ĢTV

This is some text inside of a div block.
Glitch effect

Threat Advisory: Oh No Cleo! Cleo Software Actively Being Exploited in the Wild

Contributors:
Special thanks to our Contributors:
Glitch effectGlitch effectGlitch effect
Glitch banner

CVE-2024-55956 Summary

On December 3, ĢTV identified an emerging threat involving Cleo’s LexiCom, VLTransfer, and Harmony software, commonly used to manage file transfers. We’ve directly observed evidence of threat actors exploiting this software en masse and performing post-exploitation activity. Although Cleo published an update and advisory for —which allows unauthenticated remote code execution—ĢTV security researchers have recreated the proof of concept and learned the patch does not mitigate the software flaw.

TL;DR - This vulnerability is being actively exploited in the wild and fully patched systems running 5.8.0.21 are still exploitable. We strongly recommend you move any internet-exposed Cleo systems behind a firewall until a new patch is released.

Based on our analysis, all versions prior to and including 5.8.0.21 are vulnerable:

  • Cleo Harmony® (5.8.0.21)
  • Cleo VLTrader® (5.8.0.21)
  • Cleo LexiCom® (5.8.0.21)

Our team is working to reach the Cleo team to report our findings and develop a new patch to fully mitigate exploitation. This blog will be frequently updated as more details emerge.

Tradecraft We Observed

The three software solutions Harmony, VLTrader, and LexiCom are often installed in the root of the filesystem, as the suggested default in their installation process:

C:\LexiCom
C:\VLTrader
C:\Harmony

We have also observed installation folders in the typical [.highlight]C:\Program Files (x86)[.highlight] directory. Inside the installation folder are numerous subdirectories, with some more pertinent to the tradecraft than others:

[.highlight]logs\[.highlight]

[.highlight]host\[.highlight]

[.highlight]autorun\[.highlight]

(etc.)

As an example, we would find logs in a full path: [.highlight]C:\LexiCom\logs\LexiCom.xml[.highlight]. Below is a record of the logs following threat actor exploitation:

There are multiple things to note in this log snippet:

  1. The first artifact of the attack chain is [.highlight]autorun\healthchecktemplate.txt[.highlight].

    Autorun files are immediately read, interpreted, and evaluated by LexiCom, Harmony, and VLTrader. We believe this is one of multiple files dropped onto the filesystem via the arbitrary file-write vulnerability. Files placed in the [.highlight]autorun[.highlight] folder are immediately deleted following their processing. Note: We have also seen [.highlight]autorun\healthcheck.txt[.highlight] used as well.
  2. A “Warning” on the second entry indicates this instance is running version 5.8.0.0, which is the unpatched version. Our proof of concept, which we will discuss below, successfully exploits version 5.8.0.21.

  3. The [.highlight]healthchecktemplate.txt[.highlight] autorun looks to invoke “Import” functionality, which is native and natural functionality of the Cleo software.

    The Import process reads in from a local file on disk. In this case, it loads [.highlight]temp\LexiCom6836057879780436035.tmp,[.highlight] which we believe to be a second file dropped via the arbitrary file-write vulnerability. This .tmp file is actually a .ZIP file, containing a subdirectory [.highlight]hosts[.highlight] with an inner [.highlight]main.xml[.highlight] file, as you see imported.

    The [.highlight]main.xml[.highlight] file observed from in-the-wild exploitation contains:

Note the specific (and mischievous) date and timestamps: 2020/10/10 00:00:00 😉

This [.highlight]main.xml[.highlight] file stages a new autorun with an action (presumably built out to be [.highlight]healthcheck.txt[.highlight]) to invoke a PowerShell command and gain code execution. Unfortunately, the [.highlight]healthchecktemplate.txt[.highlight] and [.highlight]healthcheck.txt[.highlight] files placed in the autoruns subdirectory were automatically deleted and we do not yet know their contents.

Figure 1: Exploitation as displayed within one of the Cleo software solutions
Figure 1: Exploitation as displayed within one of the Cleo software solutions

The decoded PowerShell command has been observed with this structure:

This process reaches out to an external IP address to retrieve new JAR files for continued post-exploitation. These JAR files contain webshell-like functionality for persistence on the endpoint.

We observed attackers later deleting these JAR files post-execution in order to prolong their attacks and stay relatively stealthy.

Also within the same logs folder, there may be a LexiCom.dbg log file. It will also contain information about any malicious autoruns files that have been processed, like so:

[timestamp] LexiCom.syncer [redacted] Request In <<< Multipart:
VLSync:SentReceipt;service=AS2;path="autorun/healthchecktemplate.txt"

For further post-exploitation, the threat actors were observed enumerating potential Active Directory assets with domain reconnaissance tools like nltest.exe.

ĢTV EDR depicts this child-parent process relationship like so:

Figure 2: Parent-child process relationship between nltest.exe
Figure 2: Parent-child process relationship between nltest.exe

Observed IP addresses for callbacks


[.highlight]176.123.5.126[.highlight] - AS 200019 (AlexHost SRL) - Moldova

[.highlight]5.149.249.226[.highlight] - AS 59711 (HZ Hosting Ltd) - Netherlands

[.highlight]185.181.230.103[.highlight] - AS 60602 (Inovare-Prim SRL) - Moldova

[.highlight]209.127.12.38[.highlight] - AS 55286 (SERVER-MANIA / B2 Net Solutions Inc) - Canada

[.highlight]181.214.147.164[.highlight] - AS 15440 (UAB Baltnetos komunikacijos) - Lithuania

[.highlight]192.119.99.42[.highlight] - AS 54290 (HOSTWINDS LLC) - United States

Targets Exploited

From our telemetry, we’ve discovered at least 10 businesses whose Cleo servers were compromised with a notable uptick in exploitation observed on December 8 around 07:00 UTC. After some initial analysis, however, we have found evidence of exploitation as early as December 3.

The majority of customers that we saw compromised deal with consumer products, food industry, trucking, and shipping industries.There are still several other companies outside of our immediate view who are .

Figure 3: View of vulnerable Cleo server as seen on Shodan
Figure 3: View of vulnerable Cleo server as seen on Shodan

The ĢTV Proof of Concept

ĢTV communicated with Cleo on December 9 after creating our proof of concept. Over a Zoom call, they confirmed our understanding and the recreation of the attack chain.

Principal Security Researcher Caleb Stewart crafted a Python script that leverages the arbitrary file-write primitive to place files inside the [.highlight]autoruns[.highlight] subdirectory and prove its execution. This was tested successfully against LexiCom as well as VLTrader with both versions 5.8.0.0 and patched version 5.8.0.21.

At the time of writing, Cleo is preparing a new CVE designation and expects a new patch to be released mid-week.

How to Stay Protected

At the time of writing, the 5.8.0.21 patched versions are insufficient against the exploit we are seeing in the wild. Speaking over a Zoom call, Cleo expressed that they will have a new patch available as soon as possible.

In the interim, we have suggested mitigations in an attempt to limit the attack surface. Knowing that the latter half of this attack path relies on code execution via the [.highlight]autoruns[.highlight] directory, it is possible to reconfigure Cleo software to disable this feature. However, this will not prevent the arbitrary file-write vulnerability until a patch is released.

  1. Got to the “Configure” menu of LexiCom, Harmony, or VLTrader
  2. Select “Options”
  3. Navigate to the “Other” pane
  4. Delete the contents of the “Autorun Directory” field

This will remove the ability to process Autorun files. Please apply your own risk and threat model here -- your mileage may vary if you know that you use this feature in production.

Figure 4: Cleo Harmony System Options showing the Autorun Directory option
Figure 4: Cleo Harmony System Options showing the Autorun Directory option

If you are not a ĢTV partner, review the [.highlight]hosts[.highlight] subdirectory in your software installation directory to determine if you have been affected. The presence of a [.highlight]main.xml[.highlight] or a [.highlight]60282967-dc91-40ef-a34c-38e992509c2c.xml[.highlight] file (a name that looks to be reused across infections) with an embedded PowerShell-encoded command is a definitive indicator of compromise.

How ĢTV Has Responded

We are actively detecting and neutralizing activity related to the exploit. To do so, we have taken a three-pronged approach to effectively detect, investigate, and respond to the threat.

ĢTV SOC analysts Austin Worline, Chad Hudson, Jai Minton, andTanner Filip created detections specifically conjured to hone in on and detect the activity triggered by the range of compromised Cleo products.

Figure 5: Cleo Detection in ĢTV EDR
Figure 5: Cleo Detection in ĢTV EDR

In tandem, ĢTV analyst Amelia Casley generated an internal investigation guide to ensure that the global ĢTV SOC team could triage this emerging threat in a scalable and consistent way to keep our community secure. This guide included a reusable to analyze the encoded PowerShell adversaries were deploying.

Figure 6: Extract of ĢTV SOC Investigation Guide
Figure 6: Extract of ĢTV SOC Investigation Guide
Figure 7: CyberChef recipe
Figure 7: CyberChef recipe

Furthermore, ĢTV neutralized this threat where it appeared on endpoints by leveraging the IP Blocking feature in ĢTV Managed EDR. IP blocking adds a degree of cost to a threat actor, requiring them to rotate their infrastructure in order to reattempt a compromise. Once completed, we shared a detailed report with any impacted partners and customers.

Figure 8: Blocking Threat actor IPv4s on hosts subject to attempted compromises

Appendix A:

Sigma rules

Appendix B:

Indicators of Compromise (IOCs)

Item Details

176.123.5.126

Attacker IP embedded in encoded PowerShell

5.149.249.226

Attacker IP embedded in encoded PowerShell

185.181.230.103

Attacker IP embedded in encoded PowerShell

209.127.12.38

Attacker IP embedded in encoded PowerShell

181.214.147.164

Attacker IP embedded in encoded PowerShell

192.119.99.42

Attacker IP embedded in encoded PowerShell

60282967-dc91-40ef-a34c-38e992509c2c.xml

Standard XML file to prepare post-exploitation

healthchecktemplate.txt or healthcheck.txt

Malicious autoruns files

Acknowledgments

Special thanks to Jai Minton, Tanner Filip, Dray Agha, Austin Worline, Chad Hudson, Amelia Casley, Jamie Levy, John Hammond, Caleb Stewart, Matt Kiely, Matt Anderson, and others for their tireless efforts and contributions to this investigation and writeup.

Share

Sign Up for Blog Updates

Subscribe today and you’ll be the first to know when new content hits the blog.

By submitting this form, you accept our Privacy Policy
Oops! Something went wrong while submitting the form.
ĢTV at work
Response to Incidents
Response to Incidents