CyberWire Daily - Cleo’s trojan horse. [Research Saturday]
Episode Date: February 8, 2025Mark Manglicmot, SVP of Security Services from Arctic Wolf, is sharing their research on "Cleopatra’s Shadow: A Mass Exploitation Campaign Deploying a Java Backdoor Through Zero-Day Exploitation of ...Cleo MFT Software." Arctic Wolf Labs discovered an ongoing exploitation campaign targeting Cleo Managed File Transfer (MFT) products, beginning on December 7, 2024. Threat actors used a malicious PowerShell stager to deploy a Java-based backdoor, dubbed Cleopatra, which features in-memory file storage and cross-platform compatibility across Windows and Linux. Despite Cleo's previous patch for CVE-2024-50623, attackers appear to have leveraged an alternative access method, exploiting the software's autorun feature to execute payloads and establish persistent access. The research can be found here: Cleopatra’s Shadow: A Mass Exploitation Campaign Deploying a Java Backdoor Through Zero-Day Exploitation of Cleo MFT Software Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
And now a message from our sponsor Zscaler, a leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue
to rise by an 18% year-over-year increase in ransomware
attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that
are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security. Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface, making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network, continuously verifying
every request based on identity and context,plifying security management with AI-powered automation
and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security. Hello everyone and welcome to the CyberWires Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down
the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in a rapidly
evolving cyberspace.
Thanks for joining us.
On December 10th, Articul Labs' threat intelligence team uncovered some novel threat intelligence
related to a recent zero-day vulnerability affecting Clio managed file transfer products.
Clio is a business-to-business supply chain integration software out there and we observed
a mass exploitation campaign off the Clio products for initial access.
That's Mark Manglickmott,
Senior Vice President of Security Services at Arctic Wolf.
The research we're discussing today
is titled Cleopatra's Shadow,
a mass exploitation campaign deploying a Java backdoor
through zero-day exploitation of Clio MFT software.
MFT software.
The execution chain involved in obfuscated PowerShell stager,
a Java loader, and ultimately
a Java based backdoor, which is
being referred to as Cleopatra,
like you said.
The initial access,
our preliminary evidence suggests that the remote code execution vulnerability,
CVE-2024-50623, may have been used to execute a malicious PowerShell script.
While the exact method of initial access is not yet confirmed, the vulnerability is known
to affect both Windows and Linux versions of Harmony, VLTrader, and Lexicom.
Well, before we dig into some more of the details, for folks who might not be familiar
with managed file transfer software, can you give us a little overview of its purpose and
what makes it an attractive target here for threat actors?
Yeah, it's become a very attractive target.
It allows companies to share information as part of a supply chain in a
trusted way. And this has become a lucrative target for ransomware attackers there because
if you get into this technology, you're into a bunch of different companies all at once.
And so it's a way of attacking one thing, but then having an impact across multiple
companies. And we're seeing specifically a group
that's emerged last fall called Termite be all over this.
In November, they attacked Blue Yonder,
which is a similar type of supply chain management software.
And then December we saw again, you know,
for the Cleopatra attack.
I see.
Well, let's dig into some of the technical details here.
Can you walk us through the attack chain?
Let's begin with the exploitation of the zero day that Cleo fell victim to.
Is that a good place to start?
Yeah, let's do it. So in the threat activity that Arctic Wolf saw,
there was a malicious PowerShell script.
It connects to an external IP and then downloads a secondary payload and executes it. That payload creates
and runs a JAR file through the Clio software. This is using Clio AutoRun, which is important
to note because within a lot of software they have AutoRun, obviously, but what it did is
automatically triggers some predefined processes or scripts.
And once it got this initial access,
the attackers were observed performing reconnaissance.
So once they get into the software,
they start poking around,
seeing what they can see to move laterally.
And some of the tools they were using was NET,
NL test, system info commands, uncompromised systems,
which could help them move around
within these companies' networks once they get in.
So these are very attractive targets to threat actors,
like I said, because it allows them to get a lot of access
to a lot of different data.
And this is, again, related to another example
of the move it transfer vulnerability
that happened last year as well.
Yeah. Is there anything here that really sets Cleopatra apart from some of the other things
you see? Is there anything unique in their operating methods here?
You know, it's a new gang that's emerged, this termite group that's using this attack,
but they're using older types of ransomware.
So what's interesting about it is they're not trying too hard in that
regard to be super innovative.
You know, analogy I've used many times is if an attacker compared to a
basketball team, if they could win the NBA finals shooting nothing but layups,
would they ever attempt a three point shot?
And some of these attack groups are kind of the same way.
If they're able to have an effective attack through simple means, then they'll do that
without trying too hard.
We have seen a proof of concept exploit published by Watchtower, so credit to them, increasing
the risk of widespread exploitation of this.
Clio has released a version 5.8.0.24, which they say will patch these vulnerabilities
so that they can't be exploited anymore.
So everybody that's out there that's using the Clio software needs to make sure to update
to the latest version out there.
I see.
How were these threat actors identified?
Were the particular IOCs that you all witnessed here?
Yes, that's correct. There's based on the IOCs and
some of the
Indicators within the ransomware that we saw we were able to identify this group and time back together
What are some of the challenges that you and your colleagues face here when
you're looking at these sorts of attacks? I'm thinking of the fact that they're
using encrypted communication and there's some obfuscation going on here.
Does that present particular challenges to you all?
It can for sure and the fact that they're using software that has normal
privileges to do things can be difficult when you're hiding within plain sight of things.
And so it's important for companies to lock down the number of things that have auto run and what has access to and what type of files are created.
We're seeing ransomware attackers continually exploit weaknesses in identity and access management configurations in the social engineering methods that they're using or continuing to get more
sophisticated as well. It used to be really easy to identify a phishing
email because it was maybe in broken English or had some other oddities to it
but attackers are getting smarter to the latest technologies out there as well
and they're using you know CHAP GPT and other AI tools to plug in their draft
of a phishing email and have it cleaned up
so that it looks, you know, too legit to quit out there.
You know, critical infrastructure is continuing
to be targeted as well.
And, you know, a lot of times the monitoring capabilities
on these is sometimes spotty.
So it's really just how broad and interconnected networks are
and how much companies are trusting other companies
and having those connections back and forth.
It's just, you have to have really high vigilance.
You have to make sure you're working on MFA
and you have to make sure you're monitoring
all of the different key facets of your enterprise so that you can
catch things very quickly.
We'll be right back.
Cyber threats are evolving every second, and staying ahead is more than just a challenge,
it's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity
solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized
applications, securing sensitive data and ensuring your organization runs smoothly
and securely. Visit Threat threatlocker.com today
to see how a default deny approach
can keep your company safe and compliant.
Hey everybody, Dave here.
Have you ever wondered
where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data
brokers. I finally have peace of mind knowing my data privacy is protected.
DeleteMe's team does all the work for you with detailed reports,
so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners, for and enter code N2K at checkout. That's joindelete.com slash N2K, code N2K.
I know in the research you point out that Arctic Wolf
acted decisively to protect your own customers.
Can you share some of the steps that you all took
to mitigate the risks of this campaign?
If you see anything that's happening on a host
that looks like ransomware,
we'll reach out and contain those devices
so that nothing else spreads.
It's working with customers to remove suspicious files
from the Clio software folders.
So using the admin UI,
we were searching
for any bash or PowerShell commands
and all host.xml files.
You know, if anything was found,
then we would remove it with them.
There were certain files that we looked for,
and if we saw those, help them clean those up.
And then, you know, we were doing
some configuration hardening with customers
around the auto run feature in Clio. You know, if possible, we were working with them to disable auto run altogether, because that
was a key part of this attack.
If that wasn't something that they were able to do for any reason, we were hardening the
configuration, only file system commands to make auto, to make auto run directory, no
write access, no write access,
no execute access, things like that.
Anything we could do that would just make it
that much harder for the attacker to be successful
and to stop things at the earliest point
of that attack lifecycle.
Looking at the wider implications here,
I mean, this is not the first time
that MFT software has been exploited.
And I'm curious, what are some of the broader lessons that organizations can learn from this and previous attacks?
Things like the ones that involve the Move It Transfer software.
Yeah, that's a great point.
Like that's definitely a trend that's emerged over the last six, nine months is looking at MFTs. It's a really popular tool or technologies to use for companies.
So it's really important that they harden those.
I think the takeaways is that there's been thousands of companies,
like not exaggerating, thousands of companies that use these things that have
been impacted by Movi and Clio and Blue Yonder and all these attacks that are
happening there. So this is something that, you know, companies put a lot of trust into over the last couple
of years and I think they need to evaluate the controls that they have around it.
What are the access privileges, auto run privileges, making sure that they're patching things
immediately.
You know, to the credit of these companies, they're doing everything they can if they
see something to make sure there's patches out there in place quickly. But attackers, like I already mentioned, are lazy and they'll
keep using stuff and just find the company that didn't apply the patch. So it's not new
or sexy, but vulnerability management still is one of the most important things for companies
to focus on. And it often kind of just falls by the wayside because they have a lot of
things going on and it's not something that gets as much marketing attention
these days.
You know a little detail you mentioned earlier on was that Cleopatra is cross
platform like it'll go after Windows and Linux systems. Is there anything
specifically noteworthy about that? Does that pose specific challenges to
organizations?
Yeah, great question. So, you know, depending on what endpoint technologies
companies have or, you know, broader network security operations, they may not
have as many things monitoring the Linux systems. So it's important for companies
to have those monitoring capabilities in place on there
You know Windows is obviously the the highest attack of the operating systems on an endpoint
But it also typically has better security coverage that way so I think for companies to understand how
These attackers are working cross-platform to find any little crack
Inside their defenses the company's defenses they can exploit it.
Just because you have Linux out there, don't assume that that on its own is going to be
sufficient without additional security controls in place.
Well, let's talk about recommendations here. Suppose I'm an organization and I'm using the Clio MFT software.
Are there immediate actions I should be taking here to protect myself?
Number one, apply the latest patch. That's the most important thing you can do and then
stay up to date on if as this continues to evolve because you know these things usually
have multiple different rounds that they go through. So stay up to date on the latest
patch. Second thing to look at is auto run within Clio
and see if you can harden that, configure that.
Next thing is what are the access controls that you have
for users and administrative privileges on your network,
working on those things, and then making,
the final one I'd say is have security monitoring in place
around any sort of trusted connections you have
with other companies out there or software that is in place around any sort of trusted connections you have with other companies out there or
software that is in place in order to help with your supply chain.
Yeah, I'm curious on your own personal insights here.
I mean, as someone who's deeply involved with this stuff day to day, was there anything
in particular that stood out to you about this particular campaign? I think what's interesting about it is that it's a continuation of a trend, in that we're
seeing it go after file transfer technologies.
We're seeing that they obfuscated it, used a PowerShell stager, Java loader, and then
a backdoor.
The combination of things there is interesting in how they're not being overly brazen.
Like we see some attackers are, they
were trying to be a little bit stealthy with how they did
things, which is a bit of an evolution on some
of these managed file transfer attacks.
In the past, they're a little bit more smash and grab.
And this time, they're trying to be a little bit more stealthy
to get in there. That allows them to have more time to do reconnaissance and kind of look for lateral movement
and then be more selective with who they go after for the ransomware attacks. So I think that's interesting and novel here.
And that's definitely something to keep an eye on as the trends evolve,
which makes it even more important that I mention again that companies apply the latest patches for these things out there
because as attackers get deeper into these things it can be more difficult for
the security monitoring to catch stuff because it looks legitimate
So you have to rely on those companies to make sure that they're applying, you know developing patches and you apply them in patches in your client.
Our thanks to Mark Manglukmat from Arctic Wolf for joining us.
The research is titled Cleopatra's Shadow, a mass exploitation campaign deploying a Java
backdoor through zero-day exploitation of Clio MFT software.
We'll have a link in the show notes.
And that's Research Saturday brought to you by N2K CyberWire.
You can find a link and additional resources in our show notes.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app. Please also
fill out the survey and the show notes or send an email to cyberwire at n2k dot com.
We're privileged that N2K Cyberwire is part of the daily routine of the most influential
leaders and operators in the public and private sector, from the Fortune 500 to many of the
world's preeminent intelligence and law enforcement agencies.
This episode was produced by Liz Stokes, we're mixed by Elliot Peltsman and Trey Hester,
our executive producer is Jennifer Iben.
Peter Kilpey is our publisher and I'm Gabe Bittner.
Thanks for listening, we'll see you back here next time.