Termite Exploits Cleo Zero-Day in Widespread Attacks

PureID

Srishti Chaubey

December 19, 2024

Cleo Zero Day Vulnerability

Introduction

Cleo’s popular file transfer software has fallen victim to a critical zero-day vulnerability, and the Termite ransomware group is wasting no time exploiting it. This flaw impacts Cleo’s Harmony, VLTrader, and LexiCom products—tools trusted by over 4,200 organizations in industries like logistics, manufacturing, and transportation.

Despite an earlier patch in October, the flaw (CVE-2024-50623) remains a serious threat, leaving businesses scrambling to protect their data and operations.

Cleo Zero Day Vulnerability
Credit: Huntress

What’s Happening with the Cleo Zero-Day?

The vulnerability allows attackers to upload malicious files, execute commands remotely, and potentially steal sensitive data. First detected on December 3, the attacks have escalated rapidly, targeting industries like consumer goods and trucking.

The Technical Lowdown:

  • Affected Products: Harmony, VLTrader, and LexiCom (versions before 5.8.0.21).
  • What’s the Risk?: Attackers can run unauthorized commands, leading to data breaches and operational disruptions.
  • The Culprit: Termite ransomware, which has already hit major organizations like Blue Yonder and Starbucks, is suspected.

How to Stay Safe: Immediate Steps to Take

While Cleo develops a new patch, here’s how you can mitigate the risk:

  1. Unplug from the Internet: Temporarily disconnect Cleo systems from public access.
  2. Turn Off Autorun:
    • Open Cleo’s settings.
    • Go to Configure > Options > Other Pane and disable the autorun directory.
    • Save the changes.
  3. Check for Signs of Trouble:
    • Look for suspicious files like healthchecktemplate.txt or .jar files in Cleo directories.
    • Use Cleo-provided scripts to scan for malicious activity.
  4. Stay Updated: Monitor Cleo’s security bulletins for patch updates.

Who’s Behind This?

All signs point to Termite, a growing ransomware group that mirrors the infamous Clop gang in its operations. Termite has gained a reputation for targeting file transfer software vulnerabilities, and some experts speculate they could be filling the gap left by Clop’s declining activity.

Their tactics include deploying malicious web shells to maintain access, running reconnaissance tools to identify assets, and using stolen data as leverage in ransom demands.

Conclusion

The Cleo zero-day vulnerability serves as another reminder of how quickly ransomware groups exploit weaknesses in trusted software. Organizations relying on Cleo products need to act now to protect their systems and data.

Third-Party Breaches: A Growing Concern

The ripple effects of a breach like this extend far beyond the immediate victims. High-profile organizations like Target, Walmart, Lowes, CVS, The Home Depot, FedEx, Kroger, Wayfair, Dollar General, Victrola, and Duraflame, which rely on Cleo software, now face the risk of third-party breaches. Attackers targeting Cleo’s vulnerabilities could exploit access to these businesses’ supply chains, putting customer data and operations at risk.

Third-party breaches are a significant pain point for businesses today, exposing them to reputational damage, financial loss, and regulatory scrutiny. Companies must assess their supply chain security and demand transparency and accountability from vendors like Cleo.

Share this article    

Connect with Us!

Subscribe to receive new blog post from PureID in your mail box