Podcasts
Research Saturday
Ep 364
Research Saturday 2.8.25
Ep 364 | 2.8.25

Cleo’s trojan horse.

Show Notes
Transcript

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Research Saturday." I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. [ Music ]

Mark Manglicmot: On December 10th, Artic Wolf Labs' threat intelligence team uncovered some novel threat intelligence related to a recent zero-day vulnerability affecting Cleo managed file transfer products. Cleo is a business-to-business supply chain integration software out there, and we observed a mass exploitation campaign off the Cleo products for initial access.

Dave Bittner: That's Mark Manglicmot, Senior Vice President of Security Services at Arctic Wolf. The research we're discussing today is titled, "Cleopatra's Shadow: A Mass Exploitation Campaign Deploying a Java Backdoor Through Zero-Day Exploitation of Cleo MFT Software." [ Music ]

Mark Manglicmot: The execution chain involved in obfuscated PowerShell stager, a Java loader, and ultimately a Java-based backdoor, which is being referred to as Cleopatra, like you said. The initial access, our preliminary evidence suggests that the remote code execution vulnerability, CVE-2024-50623, may have been used to execute a malicious PowerShell script. While the exact method of initial access is not yet confirmed, the vulnerability is known to affect both Windows and Linux versions of Harmony, VLTrader, and LexiCom.

Dave Bittner: Well, before we dig into some more of the details, for folks who might not be familiar with managed file transfer software, what -- can you give us a little overview of -- of its purpose and what -- what makes it an attractive target here for threat actors?

Mark Manglicmot: Yes, it's become a very attractive target. It allows, you know, companies to share information as part of a supply chain in a trusted way. And this has become a lucrative target for ransomware attackers there because if you get into this technology, you're into a bunch of different companies all at once. And so, it's a way of attacking one thing, but then having an impact across multiple companies. And we're seeing specifically a group that's emerged last fall called Termite, be all over this. In November, they attacked Blue Yonder, which is a similar type of supply chain management software. And then December, we saw them again, you know, for the Cleopatra attack.

Dave Bittner: I see. Well, let's dig into some of the technical details here. Can you walk us through the attack chain? Let's begin with the exploitation of the -- the Cleo, the zero day that -- that Cleo fell victim to. Is that a good place to start?

Mark Manglicmot: Yes, let's do it. So, in the threat activity that Arctic Wolf saw, there was a malicious PowerShell script. It connects to an external IP and then downloads a secondary payload and executes it. That payload creates and runs a JAR file through the Cleo software. This is using Cleo autorun, which is important to note because, you know, within a lot of software, they have autorun, obviously. But what it did is automatically trigger some predefined processes or scripts. And once it got this initial access, the attackers were observed performing reconnaissance. So, once they get into the software, they start poking around, seeing what they can see to move laterally. And some of the tools they were using was net, nltest, systeminfo commands on compromised systems, which could help them move around within these companies' networks once they get in. So, these are very attractive targets to threat actors, like I said, because it allows them to get a lot of access to a lot of different data. And this is, again, related to another example of the MOVEit transfer vulnerability that happened last year, as well.

Dave Bittner: Yes. Is there anything here that -- that really sets Cleopatra apart from some of the other things you see? Is there -- is there anything unique in the -- their operating methods here?

Mark Manglicmot: You know, it's a -- it's a new gang that's emerged, this Termite group that's -- that's using this attack, but they're using older types of ransomware. So, what's interesting about it is they're not trying too hard in that regard to be super innovative. You know, an analogy I've -- I've used many times is if an attacker, compared to a basketball team, if they could win the NBA Finals shooting nothing but layups, would they ever attempt a three-point shot? And some of these attack groups are kind of the same way. If they're able to have an effective attack through simple means, then they will -- they'll do that without trying too hard. We have seen a proof of concept exploit published by Watchtower, so credit to them, increasing the risk of widespread exploitation of this. Cleo has released a Version 5.8.0.24, which they say will patch these vulnerabilities so that they can't be exploited anymore. So, everybody that's out there that's using the Cleo soft -- software needs to make sure to update to the latest version out there.

Dave Bittner: I see. How were these threat actors identified? Were -- were the particular IOCs that you all witnessed here?

Mark Manglicmot: Yes, that's correct. There's based on the IOCs and some of the indicators within the ransomware that we saw, we were able to -- to identify this group and tie them back together.

Dave Bittner: What are some of the challenges that you and your colleagues face here when -- when you're looking at these sorts of attacks? I mean, I'm thinking of the -- the fact that they're using encrypted communication and there's some obfuscation going on here. Does that present particular challenges to you all?

Mark Manglicmot: It can for sure. And the fact that they're using, you know, software that has normal privileges to do things can be difficult when you're hiding within plain sight of things. And So, it's important for companies to lock down the number of things that have autorun and what has access to and what type of files are created. We're seeing ransomware attackers continually exploit weaknesses in identity and access management configurations. And the social engineering methods that they're using are continuing to get more sophisticated as well. It used to be really easy to identify a -- a phishing e-mail because it was maybe in broken English or had some other oddities to it, but attackers are getting smarter to the latest technologies out there as well, and they're using, you know, ChatGPT and other AI tools to plug in their draft of a phishing e-mail and have it cleaned up so that it looks, you know, too legit to quit out there. You know, critical infrastructure is continuing to be targeted as well. And, you know, a lot of times the -- the monitoring capabilities on these is -- is sometimes spotty. So, it's really just how broad and interconnected networks are and how much companies are trusting other companies in having those -- those connections back and forth. It's just you have to have really high vigilance. You have to make sure you're working on MFA, and you have to make sure you're monitoring all of the different key facets of your -- your enterprise so that you can catch things very quickly.

Dave Bittner: We'll be right back. [ Music ] Yes, I know in the research you -- you point out that Arctic Wolf acted decisively to protect your own customers. Can -- can you share some of the steps that you all took to mitigate the risks of this campaign?

Mark Manglicmot: If you see anything that's happening on a host that looks like ransomware, we'll reach out and contain those devices so that nothing else spreads. You know, it's working with customers to remove suspicious files from the Cleo software folders. So, using the admin UI, we were searching for any Bash or PowerShell commands, and all hosts.xml files. You know, If anything was found, then we would remove it with them. There were certain files that we looked for, and if we saw those, help them clean those up. And then, you know, we were doing some configuration hardening with customers around the autorun feature in Cleo. You know, if possible, we were working with them to disable autorun altogether, because that was, you know, a key part of this attack. If that wasn't something that they were able to do for any reason, we were hardening the configuration, you know, only file system commands to make auto -- to make auto -- autorun directory, no no write access, no execute access, things like that. You know, anything we could do that would just make it that much harder for the attacker to be successful and to stop things at the earliest point of that attack lifecycle.

Dave Bittner: You know, looking at the wider implications here, I mean, this is not the first time that MFT software has been exploited and I'm -- I'm curious, what are some of the broader lessons that organizations can learn from this and previous attacks? Things like, you know, the ones that involve the MOVEit transfer software?

Mark Manglicmot: Yes, that's -- that's a great point. Like, that's definitely a trend that's emerged over the last, say, six to nine months is looking at MFTs. It's a really popular tool or technologies to use for companies. So, it's really important that they harden those. I think the takeaways is that you know, there's been thousands of companies, like not exaggerating, thousands of companies that use these things that have been impacted by MOVEit and Cleo and Blue Yonder and all these attacks that are happening there. So, this is something that you know, companies put a lot of trust into over the last couple of years. And I think they need to evaluate the controls that they have around it. What are the access privileges, autorun privileges, making sure that they're patching things immediately. You know, they -- to the credit of these companies, they're doing everything they can if they see something to make sure there's patches out there in place quickly. But attackers, like I already mentioned, are lazy and they'll keep using stuff and just find the company that didn't apply the patch. So, it's not new or sexy, but vulnerability management still is one of the most important things for companies to focus on. And it often kind of just falls by the wayside because they have a lot of things going on and it -- it's not something that gets as much marketing attention these days.

Dave Bittner: You know, a little detail you mentioned earlier on was that Cleopatra is cross-platform, like it'll go after Windows and Linux systems. Is there anything specifically noteworthy about that? Does that pose specific challenges to organizations?

Mark Manglicmot: Yes, great question. So, you know, depending on what endpoint technologies company have or, you know, broader network security operations, they may not have as many things monitoring the Linux systems. So, it's important for companies to have those monitoring capabilities in place on there. You know, Windows is obviously the -- the highest attack of the operating systems on an endpoint, but it also typically has better security coverage that way. So, I think for companies to understand how these attackers are working cross-platform to find any little crack inside their defenses, the company's defenses, they can to exploit it. Just because you have Linux out there, don't assume that that on its own is going to be, you know, sufficient without additional security controls in place.

Dave Bittner: Well, let's talk about recommendations here. Suppose I'm an organization and I'm using the Cleo MFT software. Are there immediate actions I should be taking here to protect myself?

Mark Manglicmot: Number One, apply the latest patch. That's the most important thing you can do. And then stay up to date on it as this continues to evolve because you know, these things usually have multiple different rounds that they go through. So, stay up to date on the latest patch. Second thing to look at is autorun within Cleo and see if you can harden that, configure that. Next thing is what are the access controls that you have for users and administrative privileges on your network. Working on those things, and then making you know, the final one, I'd say is have security monitoring in place around any sort of trusted connections you have with other companies out there or software that is in place in order to help with your supply chain.

Dave Bittner: Yes, I'm curious on your own personal insights here. I mean, as someone who's deeply involved with this stuff day-to-day, was there anything in particular that stood out to you about this particular campaign?

Mark Manglicmot: I think what's interesting about it is that it's a continuation of a trend in that we're seeing it go after file transfer technologies. We're seeing that they obfuscated it, you know, used a PowerShell stager, Java loader, and then a backdoor. The combination of things there is interesting in how they're -- they're not being overly brazen, like we see some -- some attackers are. They were trying to be a little bit stealthy with how they did things, which is a bit of an evolution on some of these managed file transfer attacks. In the past, they're a little bit more smash, smash and grab. And this time, they're trying to be a little bit more stealthy to get in there. That allows them to have more time to do reconnaissance and kind of look for lateral movement. And then be more selective of who they go after for the ransomware attacks. So, I think that's interesting and novel here and it's definitely something to keep an eye on as -- as the trends evolve, which makes it even more important that I mention again that companies apply the latest patches for these things out there, because as attackers get deeper into these things, it -- it can be more difficult for the security monitoring to catch stuff because it looks legitimate. So, you have to rely on those companies to make sure that they're applying, you know, developing patches and you apply them. [ Music ]

Dave Bittner: Our thanks to Mark Manglicmot from Arctic Wolf for joining us. The research is Titled, "Cleopatra's Shadow: A Mass Exploitation Campaign Deploying A Java Backdoor Through Zero-Day Exploitation of Cleo MFT Software." We'll have a link in the Show Notes. And that's Research Saturday brought to you by N2K CyberWire. You can find a link and additional resources in our Show Notes. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an e-mail to cyberwire@n2k.com. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's pre-eminent intelligence and law enforcement agencies. This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Tre Hester. Our Executive Producer is Jennifer Eiben. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]

Research Saturday
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Saturdays
Creator: CyberWire, Inc.