Since December 2024, CYFOR Secure has responded to multiple incidents involving the exploitation of vulnerabilities in Cleo’s Managed File Transfer (MFT) software. These attacks, carried out by the Cl0p ransomware group, targeted organisations across various sectors and underscored the importance of proactive security measures. This blog examines the incidents and explores how organisations could have mitigated these risks. 

Who is C10p? 

C0p – also affiliated with criminal groups TA505 and FIN11 – has been operating for the last three years and is regarded as one of the most prolific and dangerous ransomware groups in the threat landscape. Security researchers who have studied C10p describe it as a ‘criminal enterprise’ that is “ruthless”, “sophisticated and innovative”, “well-organised and well-structured” and “very active-almost tireless”. The group is known for the high-profile attacks, including those on Oil giant Shell, Cyber security firm Qualys, U.S. bank Flagstar, Stanford University and the University of California.  

Many of the attacks were tied to supply chain compromises. Their strategy often involves targeting managed file transfer vulnerabilities (moveit, Cleo etc).  

If your business uses other managed file transfer services, it’s worth investing in proactive security measures, given these transfer systems are commonly exposed to the internet. 

Understanding the Vulnerabilities 

Two critical vulnerabilities in Cleo’s MFT software were exploited: 

  1. CVE-2024-50623: Initially disclosed in October 2024, this unrestricted file upload vulnerability allowed attackers to execute remote code by placing malicious files in Cleo’s Autorun directory. Despite patches released in version 5.8.0.21, exploitation persisted due to incomplete mitigation. 
  1. CVE-2024-55956: Discovered in December 2024, this zero-day vulnerability enabled unauthenticated users to execute arbitrary Bash or PowerShell commands on host systems via default Autorun settings. Cleo addressed this flaw in version 5.8.0.24. 

These vulnerabilities were actively exploited by Cl0p starting in early December, with attacks targeting internet-facing Cleo Harmony, VLTrader, and LexiCom systems. They allowed attackers to execute remote code and unauthorised commands, leading to data breaches and operational disruptions. SMEs, with often limited cyber security resources, were particularly vulnerable. 

CYFOR Secures Response

While details of specific client cases remain confidential, CYFOR Secure took swift action to contain and mitigate the impact of these incidents. Our team reviewed the clients’ systems, identified the vulnerability exploit used, and helped patch the systems to prevent further access.  

As Will Poole, Technical Director puts it:

We see many organisations with great patch management processes impacted by this incident. Often proactively patching the vulnerabilities mere days after they had already been exploited. The need for organisations to receive proactive intelligence on vulnerabilities they are impacted by, and develop processes for applying critical updates outside their normal patching timelines, is becoming clearer each time a vulnerability like this is found” 

Will Poole

Proactive Security Recommendations 

To prevent future incidents, we advised clients on best practices such as implementing multi-factor authentication (MFA), network segmentation, and regular software updates. 

Lessons Learned: How These Incidents Could Have Been Prevented 

Reflecting on these events reveals several key opportunities for prevention: 

  1. Timely Patching: Organisations must ensure software updates are applied promptly and verify their effectiveness. Delayed or incomplete patching left many systems vulnerable despite Cleo’s initial fixes. 
  1. Network Segmentation: Isolating critical systems reduces the risk of lateral movement within networks during an attack. 
  1. Disabling Risky Features: Features like the Autorun directory should be disabled unless necessary. 
  1. Proactive Monitoring: Continuous monitoring for unusual activity can help detect exploitation attempts early. 
  1. Access Controls: Implementing least privilege access controls limits exposure by ensuring users only access data essential to their roles. 
  1. Incident Response Preparedness: Having a robust incident response plan allows organisations to act swiftly during cyber-attacks. 

Looking Ahead: Strengthening Defences 

The exploitation of Cleo vulnerabilities highlights how quickly threat actors capitalise on weaknesses in widely used software. Organisations must remain vigilant by adopting proactive security measures and engaging expert partners. 

If your organisation suspects it may be at risk due to similar vulnerabilities or cyber-attacks, contact CYFOR Secure immediately for expert incident response and support. Together, we can strengthen your defences against evolving threats. 

 

Contact our team: 0330 135 5756