Ransomware scum blow holes in Cleo software patches, Cl0p (sort of) claims responsibility

Supply chain integration vendor Cleo has urged its customers to upgrade three of its products after an October security update was circumvented, leading to widespread ransomware attacks that Russia-linked gang Cl0p has claimed are its evil work.

This story starts in October when Cleo patched its Harmony, VLTrader, and LexiCom products to address an unrestricted file upload and download flaw that could lead to remote code execution (RCE).

But last week infosec outfit Huntress warned that Cleo's products were under attack after the patches were bypassed. Huntress's researchers advised that mass exploitation was occurring, at least ten businesses had been compromised, and even fully patched systems were exploitable.

The security shop later identified a new malware strain named Malichus that exploits the problem.

Cleo urged customers to update its Harmony, VLTrader, and LexiCom products to version 5.8.0.21, which the vendor claimed patched CVE-2024-50623.

The software vendor has since issued a security alert for a new vulnerability, CVE-2024-55956, and "strongly advises" customers to upgrade instances of Harmony, VLTrader, and LexiCom to version 5.8.0.24, which it says addresses a previously reported critical bug.

According to cyber security platform vendor Rapid7, CVE-2024-55956 is a bypass of the earlier flaw, CVE-2024-50623, and has been exploited. "Our team has observed enumeration and post-exploitation activity and is investigating multiple incidents," the threat hunters wrote last week.

Cleo did not immediately respond to The Register's questions – including how many customers had been compromised, and what exactly the relationship between CVE-2024-50623 and CVE-2024-55956 is. We will update this story if any substantive response should appear.

By December 13, the US Cybersecurity and Infrastructure Security Agency (CISA) had added the Cleo bug to its catalog of Known Exploited Vulnerabilities, and listed it as being abused in ransomware campaigns. Shortly after, Cl0p reportedly posted a cryptic message on its data leak site that seemingly claimed to be responsible for the attacks:

The criminals also wished everyone a "Happy New Year." They did not, however, post any sample data to download.

Neither CISA nor the FBI immediately responded to The Register's questions about which ransomware gang was behind the attacks and how many victims had been compromised.

Cl0p, as El Reg readers likely remember, is the Russia-linked ransomware crew that also exploited a critical security hole in Progress Software's MOVEit product suite back in May 2023, and used this flaw to steal data from thousands of organizations and millions of individuals. Because of the similarities between Cleo and MOVEit products – and the fact that the MOVEit attack is still claiming victims – infosec experts are watching the Cleo situation closely.

But the jury is still out on whether people should believe Cl0p's claims.

Until I see the victim notifications and data to download, I'm not sure I trust a threat actor's word

"I'm still waiting for more definitive proof that it was Cl0p that performed these attacks, personally," John Hammond, Huntress principal security researcher, told The Register. "Until I see the victim notifications and data to download, I'm not sure I trust a threat actor's word quite yet."

He added that Cleo's most recent update does plug the hole. "As far as I know 5.8.0.24 is successful at preventing our proof-of-concept exploit for the new, December-based CVE-2024-55956," Hammond asserted.

Still, it's too soon to say who is behind the exploits. The Cleo activity that Huntress has been tracking "didn't entirely line up with" Cl0p's usual tradecraft, Hammond added, "So I am still speculative."

'Waiting for proof'

Hammond also worries that the message on Cl0p's leak site isn’t proof of the group's involvement.

"I'm not certain if this means they are claiming responsibility for the Cleo attacks, or if it is just a strange timing of their choice to remove all the old data," Hammond told The Register. "One possibility is that they are preparing to post all new victims and begin negotiating, but, it is all only speculation for now."

Rapid7's senior director of threat analytics Christiaan Beek also said his team hasn't seen any "hard evidence" pointing to Cl0p – or any other group – being involved in attacks on Cleo products. "However, we have seen Cl0p utilize complex chains similar to this vulnerability in multiple file transfer use cases before, such as MOVEit and Accellion FTA in 2021," he told The Register.

• Fully patched Cleo products under renewed 'zero-day-ish' mass attack
• MOVEit victim count latest: 2.6K+ orgs hit, 77M+ people's data stolen
• Data on 760K workers from Xerox, Nokia, BofA, Morgan Stanley and more dumped online
• Deloitte says cyberattack on Rhode Island benefits portal carries 'major security threat'

"Cl0p usually uses pure zero-day chains or vulnerabilities," Beek added. "This was an 'impure' chain in that one of the vulnerabilities was fixed and potentially exploited before Cl0p started using it – that we know of."

And while no one (other than the perpetrators themselves, who may or may not be Cl0p) has independently confirmed who or what is abusing Cleo's products, the tactics do appear to line up with Cl0p's modus operandi, according to Ferhat Dikbiyik, chief research and intelligence officer at Black Kite.

"This aligns with Cl0p's typical pattern: exploit a vulnerability at scale, negotiate quietly with initial victims, and then publicly announce their campaign to apply additional pressure," Dikbiyik told The Register. "Based on their previous attacks on MOVEit and GoAnywhere, we can expect victim names to start surfacing within one to two weeks." ®