Malichus Malware Exploiting Cleo 0-day Vulnerability In Wild
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
Threat actors are actively exploiting a critical zero-day vulnerability (CVE-2024-50623) in Cleo’s file transfer products Harmony, VLTrader, and LexiComis.
The flaw, stemming from an unrestricted file upload and download vulnerability, allows unauthenticated remote code execution (RCE), posing a severe risk to enterprises relying on Cleo’s software for secure file transfers.
The vulnerability was first publicized by security vendor Huntress, who noted that the flaw stemmed from an incomplete patch released by Cleo in October.
Despite subsequent patches, attackers have found ways to bypass these, leading to widespread exploitation. Huntress telemetry indicates that at least ten businesses, primarily in consumer products, the food industry, trucking, and shipping, have been compromised.
A new malware family named Malichus has been identified as exploiting a zero-day vulnerability in Cleo file transfer software.
This vulnerability, tracked as CVE-2024-50623, affects Cleo’s Harmony, VLTrader, and LexiCom products, allowing attackers to execute arbitrary code remotely.
Malichus malware Employs 3 Stages
The Malichus malware operates in three distinct stages:
Attack Chain Malichus malware
Stage 1: PowerShell Downloader
The initial stage involves a small PowerShell loader that prepares the host for further exploitation. This loader is stored as a base64 blob, which, upon decoding, executes a Java Archive named `cleo.[numerical-identifier]`.
It establishes a TCP connection to a command-and-control (C2) server to retrieve the second-stage payload.
The loader also sets a variable called `Query`, which is crucial for identifying the C2 address and the victim’s IP address.
Stage 2: Java Downloader
The second stage involves downloading and decrypting a Java Archive using a unique AES key per payload. This archive contains a manifest file that triggers the execution of the `start` class.
The backdoor retrieves the `Query` environment variable, decodes it to obtain the AES key, and uses it to download the third stage payload via TLS v3.
The downloaded data is then decrypted, revealing a corrupted zip file, which is repaired by removing the first two bytes before extraction and loading.
Stage 3: Java Backdoor / Post Exploitation Framework
The final stage is a modular Java-based post-exploitation framework comprising nine class files. The primary driver, `Cli` class, is loaded by the previous stage.
This framework supports both Linux and Windows environments, although Huntress observed its usage primarily on Windows systems.
It uses parameters passed from stage 2 to communicate with the C2 server, identify the exploited system, and manage the malware’s persistence and data theft activities.
Huntress security researchers first publicized the attacks on Monday, noting that the vulnerability was being exploited en masse to steal data from at least ten businesses, primarily in consumer products, food industry, trucking, and shipping sectors.
The attacks began as early as December 3, with a significant uptick observed on December 8.
Cleo has acknowledged the vulnerability and released an advisory urging customers to upgrade to the latest product version (5.8.0.21) to address additional attack vectors.
However, Huntress has indicated that even this patch is insufficient against the exploits observed in the wild. Cleo is preparing a new CVE designation and expects to release a new patch mid-week
Rapid7 has advised Cleo customers to remove affected products from the public internet and place them behind a firewall. Additionally, disabling Cleo’s Autorun Directory can prevent the latter part of the attack chain from being executed.
This campaign echoes previous attacks by notorious groups like Clop, which targeted managed file transfer software to steal and ransom customer data. While attribution remains unclear, there are unconfirmed reports suggesting involvement by the Termite group, known for a recent attack on Blue Yonder.
.The active exploitation of Cleo’s software underscores the critical need for robust cybersecurity measures, especially in sectors handling sensitive data. Companies using Cleo products are advised to take immediate action to secure their systems and monitor for any signs of compromise dating back to at least December 3, 2024.
IOCs
Filename SHA256 cleo.2607 6705eea898ef1155417361fa71b1078b7aaab61e7597d2a080aa38df4ad87b1c Cli 0c57b317b572d071afd8ccdb844dd6f117e20f818c6031d7ba8adcbd32be0617 Dwn 429d24e3f30c7e999033c91f32b108db48d669fde1c3fa62eff9da2697ed078e DwnLevel f80634ce187ad4834d8f68ac7c93500d9da69ee0a7c964df1ffc8db1b6fff5a9 Mos 0b7b1b24f85a0107829781b10d08432db260421a7727230f1d3caa854370cb81 Proc 1ba95af21bac45db43ebf02f87ecedde802c7de4d472f33e74ee0a5b5015a726 SFile 57ec6d8891c95a259636380f7d8b8f4f8ac209bc245d602bfa9014a4efd2c740 ScSlot 87f7627e98c27620dd947e8dd60e5a124fdd3bb7c0f5957f0d8f7da6d0f90dee Slot 1e351bb7f6e105a3eaa1a0840140ae397e0e79c2bdc69d5e1197393fbeefc29b SrvSlot f4e5a6027b25ede93b10e132d5f861ed7cca1df7e36402978936019930e52a16
#Computer_Security_News #Cyber_Security_News #Malware #Vulnerability #Vulnerability_News #cyber_security #malware_analysis #Zero-Day_Vulnerability
Оригинальная версия на сайте:
Malichus Malware Exploiting Cleo 0-day Vulnerability In Wild
Author: Guru BaranThreat actors are actively exploiting a critical zero-day vulnerability (CVE-2024-50623) in Cleo’s file transfer products Harmony, VLTrader, and LexiComis.
The flaw, stemming from an unrestricted file upload and download vulnerability, allows unauthenticated remote code execution (RCE), posing a severe risk to enterprises relying on Cleo’s software for secure file transfers.
The vulnerability was first publicized by security vendor Huntress, who noted that the flaw stemmed from an incomplete patch released by Cleo in October.
Despite subsequent patches, attackers have found ways to bypass these, leading to widespread exploitation. Huntress telemetry indicates that at least ten businesses, primarily in consumer products, the food industry, trucking, and shipping, have been compromised.
A new malware family named Malichus has been identified as exploiting a zero-day vulnerability in Cleo file transfer software.
This vulnerability, tracked as CVE-2024-50623, affects Cleo’s Harmony, VLTrader, and LexiCom products, allowing attackers to execute arbitrary code remotely.
Malichus malware Employs 3 Stages
The Malichus malware operates in three distinct stages:
Attack Chain Malichus malwareStage 1: PowerShell Downloader
The initial stage involves a small PowerShell loader that prepares the host for further exploitation. This loader is stored as a base64 blob, which, upon decoding, executes a Java Archive named `cleo.[numerical-identifier]`.
It establishes a TCP connection to a command-and-control (C2) server to retrieve the second-stage payload.
The loader also sets a variable called `Query`, which is crucial for identifying the C2 address and the victim’s IP address.
Stage 2: Java Downloader
The second stage involves downloading and decrypting a Java Archive using a unique AES key per payload. This archive contains a manifest file that triggers the execution of the `start` class.
The backdoor retrieves the `Query` environment variable, decodes it to obtain the AES key, and uses it to download the third stage payload via TLS v3.
The downloaded data is then decrypted, revealing a corrupted zip file, which is repaired by removing the first two bytes before extraction and loading.
Stage 3: Java Backdoor / Post Exploitation Framework
The final stage is a modular Java-based post-exploitation framework comprising nine class files. The primary driver, `Cli` class, is loaded by the previous stage.
This framework supports both Linux and Windows environments, although Huntress observed its usage primarily on Windows systems.
It uses parameters passed from stage 2 to communicate with the C2 server, identify the exploited system, and manage the malware’s persistence and data theft activities.
Huntress security researchers first publicized the attacks on Monday, noting that the vulnerability was being exploited en masse to steal data from at least ten businesses, primarily in consumer products, food industry, trucking, and shipping sectors.
The attacks began as early as December 3, with a significant uptick observed on December 8.
Cleo has acknowledged the vulnerability and released an advisory urging customers to upgrade to the latest product version (5.8.0.21) to address additional attack vectors.
However, Huntress has indicated that even this patch is insufficient against the exploits observed in the wild. Cleo is preparing a new CVE designation and expects to release a new patch mid-week
Rapid7 has advised Cleo customers to remove affected products from the public internet and place them behind a firewall. Additionally, disabling Cleo’s Autorun Directory can prevent the latter part of the attack chain from being executed.
This campaign echoes previous attacks by notorious groups like Clop, which targeted managed file transfer software to steal and ransom customer data. While attribution remains unclear, there are unconfirmed reports suggesting involvement by the Termite group, known for a recent attack on Blue Yonder.
.The active exploitation of Cleo’s software underscores the critical need for robust cybersecurity measures, especially in sectors handling sensitive data. Companies using Cleo products are advised to take immediate action to secure their systems and monitor for any signs of compromise dating back to at least December 3, 2024.
IOCs
Filename SHA256 cleo.2607 6705eea898ef1155417361fa71b1078b7aaab61e7597d2a080aa38df4ad87b1c Cli 0c57b317b572d071afd8ccdb844dd6f117e20f818c6031d7ba8adcbd32be0617 Dwn 429d24e3f30c7e999033c91f32b108db48d669fde1c3fa62eff9da2697ed078e DwnLevel f80634ce187ad4834d8f68ac7c93500d9da69ee0a7c964df1ffc8db1b6fff5a9 Mos 0b7b1b24f85a0107829781b10d08432db260421a7727230f1d3caa854370cb81 Proc 1ba95af21bac45db43ebf02f87ecedde802c7de4d472f33e74ee0a5b5015a726 SFile 57ec6d8891c95a259636380f7d8b8f4f8ac209bc245d602bfa9014a4efd2c740 ScSlot 87f7627e98c27620dd947e8dd60e5a124fdd3bb7c0f5957f0d8f7da6d0f90dee Slot 1e351bb7f6e105a3eaa1a0840140ae397e0e79c2bdc69d5e1197393fbeefc29b SrvSlot f4e5a6027b25ede93b10e132d5f861ed7cca1df7e36402978936019930e52a16
#Computer_Security_News #Cyber_Security_News #Malware #Vulnerability #Vulnerability_News #cyber_security #malware_analysis #Zero-Day_Vulnerability
Оригинальная версия на сайте:
