BleepingComputer reports that attacks leveraging an improperly addressed Cleo management file transfer software vulnerability, tracked as CVE-2024-50623, have been conducted by threat actors to facilitate data exfiltration activities across at least 10 organizations since Dec. 3.
Attackers using U.S., Canadian, Moldovan, Lithuanian, and Dutch IP addresses targeted vulnerable Cleo LexiCom, Harmony, and VLTrader instances to facilitate the writing of new files into the targeted endpoints' autorun directory, triggering the deployment of XML configuration-containing ZIP files that enable the execution of payload retrieving and malicious file removing PowerShell commands, according to an analysis from Huntress. Aside from conducting Active Directory domain enumeration, threat actors also sought to ensure persistence via web shells and perform data theft through TCP channels, said researchers, who urged admins to implement firewalls and limit external access while waiting for an official fix from Cleo. Meanwhile, such active exploitation has been linked by cybersecurity expert Kevin Beaumont to the Termite ransomware operation, which took responsibility for an attack against U.S. supply chain management platform Blue Yonder.