File transfer applications: A target for ransomware

File transfer applications have been a consistent target, particularly for ransomware groups, in recent years because they are key parts of business operations and have trusted access across different parts of an organization that include potentially confidential and personal information about an organization and its employees.

Recent targets of ransomware criminals includes applications like Acellion, Moveit, and GoAnywhere [1]. This seems to have been the case for Cleo’s managed file transfer (MFT) software solutions and the vulnerability CVE-2024-50623.

Threat overview: Understanding Cleo file transfer vulnerability

This vulnerability was believed to have been patched with the release of version 5.8.0.21 in late October 2024. However, open-source intelligence (OSINT) reported that the Clop ransomware group had managed to bypass the initial patch in late November, leading to the successful exploitation of the previously patched CVE.

In the last few days Cleo has published a new vulnerability, CVE-2024-55956, which is not a patch bypass of the CVE-2024-50623 but rather another vulnerability. This is also an unauthenticated file write vulnerability but while CVE-2024-50623 allows for both reading and writing arbitrary files, the CVE-2024-55956 only allows for writing arbitrary files and was addressed in version 5.8.0.24 [2].

Darktrace Threat Research analysts have already started investigating potential signs of devices running the Cleo software with network traffic supporting this initial hypothesis.

Comparison of CVE-2024-50623 and CVE-2024-55956

While CVE-2024-50623 was initially listed as a cross-site scripting issue, it was updated on December 10 to reflect unrestricted file upload and download. This vulnerability could lead to remote code execution (RCE) in versions of Cleo’s Harmony, VLTrader, and LexiCom products prior to 5.8.0.24. Attackers could leverage the fact that files are placed in the "autorun" sub-directory within the installation folder and are immediately read, interpreted, and evaluated by the susceptible software [3].

CVE-2024-55956, refers to an unauthenticated user who can import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory [4]. Both CVEs have occurred due to separate issues in the “/Synchronization” endpoint.

Investigating post exploitation patterns of activity on Cleo software

Proof of exploitation

Darktrace’s Threat Research analysts investigated multiple cases where devices identified as likely running Cleo software were detected engaging in unusual behavior. Analysts also attempted to identify any possible association between publicly available indicators of compromise (IoCs) and the exploitation of the vulnerability, using evidence of anomalous network traffic.

One case involved an Internet-facing device likely running Cleo VLTrader software (based on its hostname) reaching out to the 100% rare Lithuanian IP 181.214.147[.]164 · AS 15440 (UAB Baltnetos komunikacijos).

This activity occurred in the early hours of December 8 on the network of a customer in the energy sector. Darktrace detected a Cleo server transferring around over 500 MB of data over multiple SSL connections via port 443 to the Lithuanian IP. External research reported that this IP appears to be a callback IP observed in post-exploitation activity of vulnerable Cleo devices [3].

While this device was regularly observed sending data to external endpoints, this transfer represented a small increase in data sent to public IPs and coupled with the rarity of the destination, triggered a model alert as well as a Cyber AI Analyst Incident summarizing the transfer. Unfortunately, due to the encrypted connection no further analysis of the transmitted data was possible. However, due to the rarity of the activity, Darktrace’s Autonomous Response intervened and prevented any further connections to the IP.

On the same day, external connections were observed to the external IP 45.182.189[.]225, along with inbound SSL connections from the same endpoint. OSINT has also linked this IP to the exploitation of Cleo software vulnerabilities [5].

Hours after the last connection to 181.214.147[.]164, the integration detection tool from CrowdStrike, which the customer had integrated with Darktrace, issued an alert. This alert provided additional visibility into host-level processes and highlighted the following command executed on the Cleo server:

“D:\VLTrader\jre\bin\java.exe" -jar cleo.4889

Three days later, on December 11, another CrowdStrike integration alert was generated, this time following encoded PowerShell command activity on the server. This is consistent with post-exploitation activity where arbitrary PowerShell commands are executed on compromised systems leveraging the default settings of the Autorun directory, as highlighted by Cleo support [6]. According to external researchers , this process initiates connections to an external IP to retrieve JAR files with webshell-like functionality for continued post-exploitation [3]. The IP embedded in both commands observed by Darktrace was 38.180.242[.]122, hosted on ASN 58061(Scalaxy B.V.). There is no OSINT associating this IP with Cleo vulnerability exploitation at the time of writing.

Another device within the same customer network exhibited similar data transfer and command execution activity around the same time, suggesting it had also been compromised through this vulnerability. However, this second device contacted a different external IP, 5.45.74[.]137, hosted on AS 58061 (Scalaxy B.V.).

Like the first device, multiple connections to this IP were detected, with almost 600 MB of data transferred over the SSL protocol.

While investigating potential Cleo servers involved in similar outgoing data activity, Darktrace’s Threat Research team identified two additional instances of likely Cleo vulnerability exploitation used to exfiltrate data outside the network. In those two instances, unusual outgoing data transfers were observed to the IP 176.123.4[.]22 (AS 200019, AlexHost SRL), with around 500 MB of data being exfiltrated over port 443 in one case (the exact volume could not be confirmed in the other instance). This IP was found embedded in encoded PowerShell commands examined by external researchers in the context of Cleo vulnerability exploitation investigations.

Conclusion

Overall, Cleo software represents a critical component of many business operations, being utilized by over 4,000 organizations worldwide. This renders the software an attractive target for threat actors who aim at exploiting internet-facing devices that could be used to compromise the software’s direct users but also other dependent industries resulting in supply chain attacks.

Darktrace / NETWORK was able to capture traffic linked to exploitation of CVE-2024-50623 within models that triggered such as Unusual Activity / Unusual External Data to New Endpoint while its Autonomous Response capability successfully blocked the anomalous connections and exfiltration attempts.

Information on new CVEs, how they're being exploited, and whether they've been patched can be fast-changing, sometimes limited and often confusing. Regardless, Darktrace is able to identify and alert to unusual behavior on these systems, indicating exploitation.

Credit to Maria Geronikolou, Alexandra Sentenac, Emma Fougler, Signe Zaharka and the Darktrace Threat Research team

Insights from Darktrace’s First 6: Half-year threat report for 2024

Darktrace’s First 6: Half-Year Threat Report 2024 highlights the latest attack trends and key threats observed by the Darktrace Threat Research team in the first six months of 2024.

• Focuses on anomaly detection and behavioral analysis to identify threats
• Maps mitigated cases to known, publicly attributed threats for deeper context
• Offers guidance on improving security posture to defend against persistent threats

‍

‍

‍

‍

Appendices

References

[1] https://blog.httpcs.com/en/file-sharing-and-transfer-software-the-new-target-of-hackers/

[2] https://attackerkb.com/topics/geR0H8dgrE/cve-2024-55956/rapid7-analysis

[3] https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild

[4] https://nvd.nist.gov/vuln/detail/CVE-2024-55956

[5] https://arcticwolf.com/resources/blog/cleopatras-shadow-a-mass-exploitation-campaign/

[6] https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Advisory-CVE-Pending

[7] https://support.cleo.com/hc/en-us/articles/360034260293-Local-HTTP-Users-Configuration

Darktrace Model Alerts

Anomalous Connection / Data Sent to Rare Domain

Unusual Activity / Unusual External Data to New Endpoint

Unusual Activity / Unusual External Data Transfer

Device / Internet Facing Device with High Priority Alert

Anomalous Server Activity / Rare External from Server

Anomalous Connection / New User Agent to IP Without Hostname

Security Integration / High Severity Integration Incident

Security Integration / Low Severity Integration Detection

Autonomous Response Model Detections

Antigena / Network / Insider Threat / Antigena Large Data Volume Outbound Block

Antigena / Network / Significant Anomaly / Antigena Significant Server Anomaly Block

Antigena / Network / Significant Anomaly / Antigena Controlled and Model Alert

Cyber AI Analyst Incidents

Unusual External Data Transfer

MITRE ATT&CK Mapping

Tactic – Technique

INITIAL ACCESS – Exploit Public-Facing Application

COMMAND AND CONTROL – Application Layer Protocol (Web Protocols)

COMMAND AND CONTROL – Encrypted Channel

PERSISTENCE – Web Shell

EXFILTRATION - Exfiltration Over C2 Channel

IoC List

IoC       Type    Description + Probability

181.214.147[.]164      IP Address       Likely C2 Infrastructure

176.123.4[.]22            IP Address       Likely C2 Infrastructure

5.45.74[.]137               IP Address           Possible C2 Infrastructure

38.180.242[.]122        IP Address       Possible C2 Infrastructure

Introduction: Nation state attacks on supply chains

In recent years, supply chain attacks have surged in both frequency and sophistication, evolving into one of the most severe threats to organizations across almost every industry. By exploiting third-party vendors and service providers, these attacks can inflict widespread disruption with a single breach. They have become a go-to choice for nation state actors and show no signs of slowing down. According to Gartner, the costs from these attacks will skyrocket “from $46 billion in 2023 to $138 billion by 2031” [1].  

But why are supply chains specifically such an irresistible target for threat actors? Dwight David Eisenhower, the General of the US Army in World War II and former US President, once said, “you won’t find it difficult to prove that battles, campaigns, and even wars have been won or lost primarily because of logistics.”

The same is true in cyberspace and cyberwarfare. We live in an increasingly interconnected world. The provision of almost every service integral to our daily lives relies on a complex web of interdependent third parties.  

Naturally, threat actors gravitate towards these service providers. By compromising just one of them, they can spread through supply chains downstream to other organizations and raise the odds of winning their battle, campaign, or war.  

A house built on open-source sand

Software developers face immense pressure to produce functional code quickly, often under tight deadlines. Adding to this challenge is the need to comply with stringent security requirements set by their DevSecOps counterparts, who aim to ensure that code is safe from vulnerabilities.  

Open-source repositories alleviate some of this pressure by providing pre-built packages of code and fully functioning tools that developers can freely access and integrate. These highly accessible resources enhance productivity and boost innovation. As a result, they have a huge, diverse user base spanning industries and geographies. However, given their extensive adoption, any security lapse can result in widespread compromise across businesses.

Cautionary tales for open-source dependencies

This is exactly what happened in December 2021 when a remote code execution vulnerability was discovered in Log4J’s software. In simple terms, it exposed an alarmingly straightforward way for attackers to take control of any system using Log4J.  

The scope for potential attack was unprecedented. Some estimates say up to 3 billion devices were affected worldwide, in what was quickly labelled the “single biggest, most critical vulnerability of the last decade” [2].

What ensued was a race between opportunistic nefarious actors and panicked security professionals. The astronomical number of vulnerable devices laid expansive groundwork for attackers, who quickly began probing potentially exploitable systems. 48% of corporate networks globally were scanned for the vulnerability, while security teams scrambled to apply the remediating patch [3].

The vulnerability attracted nation states like a moth to a flame, who, unsurprisingly, beat many security teams to it. According to the FBI and the US Cybersecurity and Infrastructure Agency (CISA), Iranian government-sponsored threat groups were found using the Log4J vulnerability to install cryptomining software, credential stealers and Ngrok reverse proxies onto no less than US Federal networks [4].  

Research from Microsoft and Mandiant revealed nation state groups from China, North Korea and Turkey also taking advantage of the Log4J vulnerability to deploy malware on target systems [5].  

If Log4j taught us anything, it’s that vulnerabilities in open-source technologies can be highly attractive target for nation states. When these technologies are universally adopted, geopolitical adversaries have a much wider net of opportunity to successfully weaponize them.  

It therefore comes as no surprise that nation states have ramped up their operations targeting the open-source link of the supply chain in recent years.  

Since 2020, there has been a 1300% increase in malicious threats circulating on open-source repositories. PyPI is the official open-source code repository for programming done in the Python language and used by over 800,000 developers worldwide. In the first 9 months of 2023 alone, 7,000 malicious packages were found on PyPI, some of which were linked to the North Korea state-sponsored threat group, Lazarus [6].  

Most of them were found using a technique called typosquatting, in which the malicious payloads are disguised with names that very closely resemble those of legitimate packages, ready for download by an unwitting software developer. This trickery of the eye is an example of social engineering in the supply chain.  

A hop, skip, and a jump into the most sensitive networks on earth

One of the most high-profile supply chain attacks in recent history occurred in 2023, targeting 3CX’s Desktop App – a widely used video communications by over 600,000 customers in various sectors such as aerospace, healthcare and hospitality.

The incident gained notoriety as a double supply chain attack. The initial breach originated from financial trading software called X_Trader, which had been infected with a backdoor.  A 3CX employee unknowingly downloaded the compromised X_Trader software onto a corporate device. This allowed attackers to steal the employee’s credentials and use them to gain access to 3CX’s network, spread laterally and compromising Windows and Mac systems.  

The attack moved along another link of the supply chain to several of 3CX’s customers, impacting critical national infrastructure like energy sector in US and Europe.  

For the average software provider, this attack shed more light on how a compromise of their technology could cause chaos for their customers.  

But nation states already knew this. The 3CX attack was attributed, yet again, to Lazarus, the same North Korean nation state blamed for implanting malicious packages in the Python repository.  

It’s also worth mentioning the astounding piece of evidence in a separate social engineering campaign which linked the 3CX hack to North Korea. It was an attack worthy of a Hollywood cyber block buster. The threat group, Lazarus, lured hopeful job candidates on LinkedIn into clicking on malicious ZIP file disguised as an attractive PDF offer for a position as a Developer at HSBC. The malware’s command and control infrastructure, journalide[.]org, was the same one discovered in the 3CX campaign.  

Though not strictly a supply chain attack, the LinkedIn campaign illustrates how nation states employ a diverse array of methods that span beyond the supply chain to achieve their goals. These sophisticated and well-resourced adversaries are adaptable and capable of repurposing their command-and-control infrastructure to orchestrate a range of attacks. This attack, along with the typosquatting attacks found in PyPI, serve as a critical reminder for security teams: supply chain attacks are often coupled with another powerful tactic – social engineering of human teams.

‍When the cure is worse than the disease

Updates to the software are a core pillar of cybersecurity, designed to patch vulnerabilities like Log4J and ensure it is safe. However, they have also proven to serve as alarmingly efficient delivery vessels for nation states to propagate their cyberattacks.  

Two of the most prolific supply chain breaches in recent history have been deployed through malicious updates, illustrating how they can be a double-edged sword when it comes to cyber defense.  

NotPetya (2017) and Solarwinds (2020)

The 2017 NotPetya ransomware attack exemplified the mass spread of ransomware via a single software update. A Russian military group injected malware on accounting software used by Ukrainian businesses for tax reporting. Via an automatic update, the ransomware was pushed out to thousands of customers within hours, crippled Ukrainian infrastructure including airports, financial institutions and government agencies.  

Some of the hardest hit victims were suppliers themselves. Maersk, the global shipping giant responsible for shipping one fifth of the world’s goods, had their entire global operations brought to a halt and their 76 ports temporarily shut down. The interruptions to global trade were then compounded when a FedEx subsidiary was hit by the same ransomware. Meanwhile, Merck, a pharmaceutical company, was unable to supply vaccines to the Center for Disease Control and Prevention due to the attack.  

In 2020, another devastating supply chain attack unfolded in a similar way. Threat actors tied to Russian intelligence embedded malicious code into Solarwinds’ Orion IT software, which was then distributed as an update to 18,000 organizations. Victims included at least eight U.S. government agencies, as well as several major tech companies.  

These two attacks highlighted two key lessons. First, in a hyperconnected digital world, nation states will exploit the trust organizations place in software updates to cause a ripple effect of devastation downstream. Secondly, the economies of scale for the threat actor themselves are staggering: a single malicious update provided the heavy lifting work of dissemination to the attacker. A colossal number of originations were infected, and they obtained the keys to the world’s most sensitive networks.

The conclusion is obvious, albeit challenging to implement; organizations must rigorously scrutinize the authenticity and security of updates to prevent far-reaching consequences.  

Geopolitics and nation States in 2024: Beyond the software supply chain

The threat to our increasingly complex web of global supply is real. But organizations must look beyond their software to successfully mitigate supply chain disruption. Securing hardware and logistics is crucial, as these supply chain links are also in the crosshairs of nation states.  

In July 2024, suspicious packages caused a warehouse fire at a depot belonging to courier giant DHL in Birmingham, UK. British counter-terrorism authorities investigated Russian involvement in this fire, which was linked to a very similar incident that same month at a DHL facility in Germany.  

In September 2024, camouflaged explosives were hidden in walkie talkies and pagers in Lebanon and Syria – a supply chain attack widely believed to be carried out by Israel.

While these attacks targeted hardware and logistics rather than software, the underlying rule of thumb remained the same: the compromise of a single distributor can provide the attackers with considerable economies of scale.

These attacks sparked growing concerns of coordinated efforts to sabotage the supply chain. This sentiment was reflected in a global survey carried out by HP in August 2024, in which many organisations reported “nation-state threat actors targeting physical supply chains and tampering with device hardware and firmware integrity” [7].

More recently, in November 2024, the Russian military unit 29155 vowed to “turn the lights out for millions” by threatening to launch cyberattacks on the blood supply of NATO countries, critical national infrastructure (CNI). Today, CNI encompasses more than the electric grid and water supply; it includes ICT services and IT infrastructure – the digital systems that underpin the foundations of modern society.    

This is nothing new. The supply and logistics-focused tactic has been central to warfare throughout history. What’s changed is that cyberspace has merely expanded the scale and efficiency of these tactics, turning single software compromises into attack multipliers. The supply chain threat is now more multi-faceted than ever before.  

Learnings from the supply chain threat landscape

Consider some of the most disastrous nation-state supply chain attacks in recent history – 3CX, NotPetya and Solarwinds. They share a remarkable commonality: the attackers only needed to compromise a single piece of software to cause rampant disruption. By targeting a technology provider whose products were deeply embedded across industries, threat actors leveraged the trust inherent in the supply chain to infiltrate networks at scale.

From a nation-state’s perspective, targeting a specific technology, device or service used by vast swathes of society amplifies operational efficiency. For software, hardware and critical service suppliers, these examples serve as an urgent wake-up call. Without rigorous security measures, they risk becoming conduits for global disruption. Sanity-checking code, implementing robust validation processes, and fostering a culture of security throughout the supply chain are no longer optional—they are essential.  

The stakes are clear: in the interconnected digital age, the safety of countless systems, industries and society at large depends on their vigilance.  

Gain a deeper understanding of the evolving risks in supply chain security and explore actionable strategies to protect your organization against emerging threats. Download the white paper to empower your decision-making with expert insights tailored for CISOs

Download: Securing the Supply Chain White Paper

‍

‍

‍

‍

References

1. https://www.gartner.com/en/documents/5524495

2. CISA Insights “Remediate Vulnerabilities for Internet-Accessible Systems.”

3. https://blog.checkpoint.com/security/the-numbers-behind-a-cyber-pandemic-detailed-dive/

4. https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-320a  

5. https://www.microsoft.com/en-us/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/  

6. https://content.reversinglabs.com/state-of-sscs-report/the-state-of-sscs-report-24  

7. https://www.hp.com/us-en/newsroom/press-releases/2024/hp-wolf-security-study-supply-chains.html