Termite ransomware group operators have a zero day exploit for Cleo LexiCom, VLTransfer, and Harmony. #ransomware #threatintel
Conversation
Notices
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 10-Dec-2024 20:41:24 JST 
Kevin Beaumont
- Michał "rysiek" Woźniak · 🇺🇦 repeated this.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 10-Dec-2024 20:41:58 JST
Kevin Beaumont
This is a build upon Huntress' (excellent) blog https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 10-Dec-2024 20:58:19 JST
Kevin Beaumont
i would fully pull the plug on impacted Cleo products until there's vendor clarity btw
Shodan dork (not exhaustive) - the Windows ones are a particular problem in terms of ransomware.
https://beta.shodan.io/search?query=http.html_hash%3A1534766930
-
Embed this notice
Fritz Adalis (fritzadalis@infosec.exchange)'s status on Tuesday, 10-Dec-2024 21:06:50 JST 
Fritz Adalis
@GossiTheDog
LOL
Server: Cleo LexiCom/4.2 (Windows 2000) -
Embed this notice
Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 10-Dec-2024 21:11:11 JST 
Rich Felker
@GossiTheDog I love zero days in products I've never heard of that are probably advertised on airport billboards... 🙃
-
Embed this notice
Fritz Adalis (fritzadalis@infosec.exchange)'s status on Tuesday, 10-Dec-2024 21:18:19 JST
Fritz Adalis
@GossiTheDog
I should have looked at page 2...Server: Cleo LexiCom/4.5 (Windows NT (unknown))
-
Embed this notice
Fritz Adalis (fritzadalis@infosec.exchange)'s status on Tuesday, 10-Dec-2024 21:20:00 JST
Fritz Adalis
@GossiTheDog
Those teeth are disturbing somehow. -
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 10-Dec-2024 23:09:11 JST
Kevin Beaumont
Cleo have issued a (paywalled) advisory about the zero day, saying a new CVE number is being allocated.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 10-Dec-2024 23:15:16 JST
Kevin Beaumont
Rapid7 say "As of December 10, Rapid7 MDR has confirmed successful exploitation of this issue in customer environments; similar to Huntress, our team has observed enumeration and post-exploitation activity and is investigating multiple incidents." https://www.rapid7.com/blog/post/2024/12/10/etr-widespread-exploitation-of-cleo-file-transfer-software-cve-2024-50623/ #cleo #threatintel
-
Embed this notice
hsmolin (hsmolin@mastodon.bawue.social)'s status on Tuesday, 10-Dec-2024 23:23:55 JST 
hsmolin
@GossiTheDog They'd better fix the issue than requesting a handle...no significant progress visible, is it?
-
Embed this notice
Not a Goat 🦝 (screaminggoat@infosec.exchange)'s status on Tuesday, 10-Dec-2024 23:38:04 JST 
Not a Goat 🦝
@GossiTheDog public Cleo security advisory: https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Advisory-CVE-Peding
Cleo Product Security Advisory (CVE Peding) [sic]
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 10-Dec-2024 23:40:13 JST
Kevin Beaumont
After my toot Cleo have issued a public advisory, they're saying versions up to 5.8.0.23 (not out yet) are impacted.
In terms of threat intel, the ransomware operators I know of only have an exploit for the Windows versions, not Linux.
https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Advisory-CVE-Peding
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 11-Dec-2024 02:55:28 JST
Kevin Beaumont
"In an emailed statement given to TechCrunch, Jorge Rodriguez, SVP of product Development at Cleo, said that a patch for the critical vulnerability is “under development.”
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 11-Dec-2024 09:48:09 JST
Kevin Beaumont
Sophos says they have seen 50+ systems with Cleo enterprise file transfer product zero day exploitation. Huntress say 28+ customers so far. Rapid7 haven’t given numbers.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 12-Dec-2024 03:34:17 JST
Kevin Beaumont
A writeup on the Cleo vulnerabilities, which are under mass exploitation now. Write any file into any folder by using path=..\..\..\ - since it's a webapp, just drop a webshell.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 14-Dec-2024 03:11:39 JST
Kevin Beaumont
Another write up on the Cleo zero day: https://arcticwolf.com/resources/blog/cleopatras-shadow-a-mass-exploitation-campaign/
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 14-Dec-2024 03:28:24 JST
Kevin Beaumont
I think the Cleo thing shows the industry and community working very well, btw.
From zero day in an MFT product to approx 2/3rd of servers now offline or patched in days. As far as I know, since mass exploitation began (important caveat) none of the victims had follow on activity, ie ransomware.
That’s a really good outcome. The reason, I think, is openness and transparency - Huntress went public early and everybody leaped on it loudly in the community. Be more open.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 14-Dec-2024 03:32:29 JST
Kevin Beaumont
Had the threat actor gone more slowly and hit orgs prone to cover ups (ie large enterprises) that would have been a very different outcome.
The smaller Managed Detection and Response vendors have the window to do something very funny and talk about things rather than doing a CrowdStrike, MS etc and doing a cover up - it breaks the race to the bottom, and is one area where the market is getting healthier.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 14-Dec-2024 05:02:08 JST
Kevin Beaumont
CISA have added the new CVE for the Cleo zero day to KEV.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 14-Dec-2024 06:46:20 JST
Kevin Beaumont
nope
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 16-Dec-2024 06:20:28 JST
Kevin Beaumont
Top stuff from Bleeping Computer here in terms of investigation.
So it looks like some ransomware operators are wearing multiple group hats.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 16-Dec-2024 06:23:26 JST
Kevin Beaumont
For what it’s worth, I’ve found some novel ways of tracking ransomware operators. I don’t want to reveal how as I don’t want to blow the access.
Also, good on cl0p for narrowing the extortion criteria.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 24-Jan-2025 04:00:57 JST
Kevin Beaumont
Cl0p ransomware group plan to start dropping data obtained from Cleo MFT zero day tomorrow for about 50 orgs, list here: https://infosec.exchange/@cR0w/113879140146742766
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 24-Jan-2025 05:14:42 JST
Kevin Beaumont
@leyths yes
-
Embed this notice
David (leyths@mastodon.world)'s status on Friday, 24-Jan-2025 05:14:43 JST 
David
@GossiTheDog is this different to the last BlueYonder cyber incident thing from November last year?
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 24-Jan-2025 22:31:03 JST
Kevin Beaumont
Cl0p have started publishing the stolen Cleo MFT data. Have confirmed with one of the victim orgs it came from their Cleo server. #cleo #threatintel #ransomware
All GNU social JP content and data are available under the