Skip to main content
close search
site logo
Dive Brief

Mandiant traces Cleo file-transfer exploits back to October

The threat intelligence firm observed deployment of backdoors, but has not seen mass data theft thus far.

Published Dec. 19, 2024 Updated 6 hours ago
David Jones's headshot
Reporter
cybersecurity, matrix, abstract
iStock / Getty Images Plus via Getty Images

Dive Brief:

  • Researchers have now traced exploitation of a critical vulnerability in Cleo file transfer software back to October, Mandiant Consulting CTO Charles Carmakal said in a LinkedIn post Wednesday. Mandiant’s discovery puts active exploitation at least a month earlier than previously observed by other researchers.
  • Mandiant identifies the cluster actively exploiting the two vulnerabilities, CVE-2024-50623 and CVE-2024-55956, as UNC5936. Researchers say the cluster has overlaps with FIN11, also known as Clop, which claimed responsibility for the attacks earlier this month. 
  • There is currently no evidence of mass data theft, which was observed in prior campaigns by the threat group, Carmakal said. However, malicious backdoors including Beacon and Goldtomb have been deployed on exploited systems.

Dive Insight:

Researchers at Huntress, Rapid7 and other firms previously confirmed active exploitation of vulnerabilities in Cleo Harmony, VLTrader and Lexicom. Huntress originally warned that a patch CVE-2024-50623, an unrestricted file upload and download vulnerability, was not offering adequate protection and could be bypassed by outside attackers. 

The second vulnerability, CVE-2024-55956, which allows unauthenticated users to upload and execute arbitrary bash or PowerShell commands, was later identified and patched. A CVE number was assigned to the vulnerability late last week

The Cybersecurity and Infrastructure Security Agency added CVE-2024-55956 to its known exploited vulnerabilities catalog on Tuesday and noted it has been used in ransomware campaigns.

Researchers from Censys observed about 1,440 vulnerable instances of Harmony, VLTrader and Lexicom online, of which 63% are located in the U.S. About 1,011 hosts were seen running an unpatched version prior to 5.8.0.24, which are at risk of being exploited via CVE-2024-55956.

Carmakal said it's possible the threat group may leverage the deployed backdoors to further compromise victims and deploy ransomware, but thus far that has not been observed.

The threat group has been linked to numerous exploitation campaigns in recent years, including Accellion FTA in 2021, SolarWinds Serv-U in 2021, Fortra GoAnywhere in 2023 and Progress Software’s MOVEit in 2023

Cleo officials were not immediately available for comment.

Correction: A previous version of the article misidentified the vulnerable instances of the file transfer software. It impacts unpatched versions prior to 5.8.0.24.

 

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
Why Cybersecurity Leaders Trust the MITRE ATT&CK Evaluations
From Cynet Security
December 05, 2024
Rumpke Data Breach Investigation
From Migliaccio and Rathod
December 11, 2024
DigiCert Releases First-of-Its-Kind Open-Source DCV Library to Elevate Industry Standards
From DigiCert
December 18, 2024
Chemonics International Data Breach Investigation
From Migliaccio & Rathod LLP
December 04, 2024
Editors' picks
Latest in Vulnerability
Industry Dive is an Informa TechTarget business.
© 2024 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.