{
  "name": "Widespread Exploitation of Cleo File Transfer Software",
  "slug": "widespread-exploitation-of-cleo-file-transfer-software",
  "description": "Critical vulnerabilities in Cleo file transfer products, including VLTrader, Harmony, and LexiCom, are being actively exploited. Initially stemming from an insufficient patch for CVE-2024-50623, a new critical vulnerability (CVE-2024-55956) allows unauthenticated users to execute arbitrary commands. Exploitation has been confirmed in customer environments, with attackers dropping modular Java backdoors and conducting post-exploitation activities. Affected versions include those prior to 5.8.0.24. Immediate patching and removal from public internet access are recommended. Indicators of compromise and post-exploitation behavior have been observed, including enumeration commands, PowerShell usage, and attempts to clear Windows event logs.",
  "published": "2024-12-16T13:25:43+00:00",
  "created_at": "2024-12-16T13:25:43+00:00",
  "modified_at": "2024-12-16T13:34:02+00:00",
  "created_at_opencti": "2024-12-16T13:25:43+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-12-16",
    "CVE-2024-55956",
    "cleo"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "89.248.172.139"
      },
      {
        "id": "",
        "name": "45.182.189.102"
      },
      {
        "id": "",
        "name": "185.163.204.137"
      },
      {
        "id": "",
        "name": "185.162.128.133"
      },
      {
        "id": "",
        "name": "185.181.230.103"
      },
      {
        "id": "",
        "name": "176.123.10.115"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:c66658b6074d27c4",
        "name": "Cobalt Strike",
        "slug": "cobalt-strike"
      }
    ],
    "attack_patterns": [
      {
        "id": "6b5f1e68-aec7-4ea0-9777-62156da790a7",
        "name": "T1069"
      },
      {
        "id": "c9de6d3f-08cf-448d-8b9f-9aeff59fc48f",
        "name": "T1550"
      },
      {
        "id": "a15721d2-76b1-4869-bd1f-819afb6e368d",
        "name": "T1482"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e",
        "name": "T1071"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "5b7c66d1-0466-4ba7-af6f-eb82c2f9d05b",
        "name": "T1033"
      },
      {
        "id": "fcd96dc0-500e-4354-bd97-5c65718a9004",
        "name": "T1562"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2024-55956"
      },
      {
        "id": "",
        "name": "CVE-2024-50623"
      }
    ]
  },
  "external_refs": [
    "https://www.rapid7.com/blog/post/2024/12/10/etr-widespread-exploitation-of-cleo-file-transfer-software-cve-2024-50623/",
    "https://otx.alienvault.com/pulse/676038680e5f7630d485df71"
  ]
}