Cleo’s trojan horse. [Research Saturday]

Dave Bittner

You're listening to the Cyberwire network, powered by N2K. And now a message from our sponsor. Zscaler, the leader in cloud security Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year over year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public facing IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security Zscaler 0Trust AI stops attackers by hiding your attack surface, making apps and IPs invisible, eliminating lateral movement connecting users only to specific apps, not the entire network continuously verifying every request based on identity and context simplifying security management with AI powered automation and detecting threats using AI to analyze over 500 billion daily transactions. Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com Security hello everyone and welcome to the Cyberwires Research Saturday. I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us.

Mark Manglicmot

On December 10, Article Labs Threat Intelligence team uncovered some novel threat intelligence related to a recent zero day vulnerability affecting Clio managed file transfer products. Clio is a business to business supply chain integration software out there and we observed a mass exploitation campaign off the Clio products for initial access.

Dave Bittner

That's Mark Manglicmot, Senior Vice President of Security Services at Arctic Wolf. The research we're discussing today is titled Cleopatra's Shadow A Mass exploitation campaign deploying a Java Backdoor through zero day exploitation of Clio MFT software.

Mark Manglicmot

The execution chain involved in obfuscated power, PowerShell, Stager, a Java loader and ultimately a Java based backdoor which is being referred to as Cleopatra. Like you said, the initial access our preliminary evidence suggests that the remote code execution vulnerability CVE2024 50623 may have been used to execute a malicious power cell script. While the exact method of initial access is not yet confirmed, the vulnerability is known to affect both Windows and Linux versions of Harmony, vltrader and Lexicom.

Dave Bittner

Well, before we dig into some more of the details for folks who might not be familiar with managed file transfer software, can you give us a little overview of its purpose and what makes it an attractive target here for Threat actors?

Mark Manglicmot

Yeah, it's become a very attractive target. It allows companies to share information as part of a supply chain in a trusted way. And this has become a lucrative target for ransomware attackers there because if you get into this technology, you're into a bunch of different companies all at once. And so it's a way of attacking one thing, but then having an impact across multiple companies. And we're seeing specifically a group that's emerged last fall called Termite Be all over this. In November they attacked Blue Yonder, which is a similar type of supply chain management software. And then December we saw him again for the Cleopatra attack.

Dave Bittner

I see. Well, let's dig into some of the technical details here. Can you walk us through the ATTCK chain? Let's begin with the exploitation of the zero day that Clio fell victim to. Is that a good place to start?

Mark Manglicmot

Yeah, let's do it. So in the threat activity that Arctic Wolf saw, there was a malicious PowerShell script. It connects to an external IP and then downloads a secondary payload and executes it. That payload creates and runs a JAR file through the Clio software. This is using Clio Autorun, which is important to note because within a lot of software they have autorun, obviously. But what it did is automatically trigger some predefined processes or scripts. And once it got this initial access, the attackers were observed performing reconnaissance. So once they get into the software, they start poking around, seeing what they can see to move laterally. And some of the tools they were using was NET nl, test system info commands, uncompromised systems which could help them move around within these companies networks once they get in. So these are very attractive targets to threat actors, like I said, because it allows them to get a lot of access to a lot of different data. And this is again related to another example of the MoveIt transfer vulnerability that happened last year as well.

Dave Bittner

Yeah. Is there anything here that really sets Cleopatra apart from some of the other things you see? Is there anything unique in their operating methods here?

Mark Manglicmot

It's a new gang that's emerged, this Termite group that's using this attack, but they're using older types of ransomware. So what's interesting about it is they're not trying too hard in that regard to be super innovative. You know, analogy I've used many times is if an attacker compared to a basketball team, if they could win the NBA finals shooting nothing but layups, would they ever attempt a three point shot? And some of these attack groups are kind of the same way. If they're able to have an effective attack through simple means, then they will. They'll do that without trying too hard. We have seen a proof of concept exploit published by Watchtower. So credit to them increasing the risk of widespread exploitation of this. CLIO has released a version 5.8.0.24, which they say will patch these vulnerabilities so that they can't be exploited anymore. So everybody that's out there that's using the CLIO software needs to make sure to update to the latest version out there.

Dave Bittner

I see. How were these threat actors identified? Were the particular IOCs that you all witnessed here?

Mark Manglicmot

Yes, that's correct. There's. Based on the IOCs and some of the indicators within the ransomware that we saw, we were able to identify this group and time back together.

Dave Bittner

What are some of the challenges that you and your colleagues face here when you're looking at these sorts of attacks? I'm thinking of the. The fact that they're using encrypted communication and there's some obfuscation going on here. Does that present particular challenges to you all?

Mark Manglicmot

It can, for sure. And the fact that they're using, you know, software that has normal privileges to do things can be difficult when you're hiding within plain sight of things. And so it's important for companies to lock down the number of things that have autorun and what has access to and what type of files are created. We're seeing ransomware attackers continually exploit weaknesses in identity and access management configurations in the social engineering methods that they're using are continuing to get more sophisticated as well. It used to be really easy to identify a phishing email because it was maybe in broken English or had some other oddities to it. But attackers are getting smarter to the latest technologies out there as well, and they're using, you know, ChatGPT and other AI tools to plug in their draft of a phishing email and have it cleaned up so that it looks, you know, too legit to quit out there. You know, critical infrastructure is continuing to be targeted as well. And, you know, a lot of times the monitoring capabilities on these is sometimes spotty. So it's really just how broad and interconnected networks are and how much companies are trusting other companies and having those. Those connections back and forth. It's just you have to have really high vigilance. You have to make sure you're working on mfa and you have to make sure you're monitoring all of the different key facets of your enterprise so that you can catch things very Quickly.

Dave Bittner

We'll be right back. Cyber threats are evolving every second, and staying ahead is more than just a challenge, it's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant.

Mark Manglicmot

Foreign.

Dave Bittner

Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers, so I decided to try Delete me. I have to say, delete me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data Privacy is protected. DeletMe's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Deleteme now at a special discount for our listeners today. Get 20% off your delete me plan when you go to JoinDeleteMe.com N2K and use promo code N2K at checkout. The only way to get 20% off is to go to JoinDeleteMe.comN2K and enter code N2K at checkout. That's JoinDeleteMe.com N2k code N2K. Yeah, I know. In the research, you point out that Arctic Wolf acted decisively to protect your own customers. Can you share some of the steps that you all took to mitigate the risks of this campaign?

Mark Manglicmot

If you see anything that's happening on a host that looks like ransomware, we'll reach out and contain those devices so that nothing else spreads. You know, it's working with customers to remove suspicious files from the Clio software folders. So using the admin ui, we were searching for any Bash or powershell commands and all host XML files. If anything was found, then we would remove it with them. There were certain files that we looked for and if we saw those, help them clean those up. And then we were doing some configuration hardening with customers around the Autorun feature and Clio, if possible. We were working with them to disable Autorun altogether because that was a key part of this attack. If that wasn't something that they were able to do for any reason, we were hardening the configuration only File system commands to make auto run directory no write access, no execute access, things like that. Anything we could do that would just make it that much harder for the attacker to be successful and to stop things at the earliest point of that attack lifecycle.

Dave Bittner

Looking at the wider implications here, I mean, this is not the first time that MFT software has been exploited. And I'm curious, what are some of the broader lessons that organizations can learn from this and previous attacks? Things like the ones that involve the MoveIt transfer software?

Mark Manglicmot

Yeah, that's a great point. That's definitely a trend that's emerged over the last, say six to nine months is looking at mfts. It's a really popular tool or technologies to use for companies. So it's really important that they harden those. I think the takeaways is that, you know, there's been thousands of companies like, not exaggerating, thousands of companies that use these things that have been impacted by Move IT and Clio and Blue Yonder and all these attacks that are happening there. So this is something that, you know, companies put a lot of trust into over the last couple years. And I think they need to evaluate the controls that they have around it. What are the access privileges, autorun privileges, making sure that they're patching things immediately. You know, to the credit of these companies, they're doing everything they can if they see something to make sure there's patches out there in place quickly. But attackers, like I already mentioned, are lazy and they'll keep using stuff and just find the company that didn't apply the patch. So it's not new or sexy. But vulnerability management still is one of the most important things for companies to focus on. And it often kind of just falls by the wayside because they have a lot of things going on and it's not something that gets as much marketing attention these days.

Dave Bittner

Yeah, a little detail you mentioned earlier on was that Cleopatra is cross platform, like it'll go after Windows and Linux systems. Is there anything specifically noteworthy about that? Does that pose specific challenges to organizations?

Mark Manglicmot

Yeah, great question. So, you know, depending on what Endpoint Technologies company have or you know, broader network security operations, they may not have as many things monitoring the Linux systems. So it's important for companies to have those monitoring capabilities in place on there. You know, Windows is obviously the highest attack of the operating systems on an endpoint, but it also typically has better security coverage that way. So I think for companies to understand how these attackers are working cross platform to find any little crack inside their defenses, the company's defenses they can to exploit it. Just because you have Linux out there, don't assume that that on its own is going to be sufficient without additional security controls in place.

Dave Bittner

Well, let's talk about recommendations here. Suppose I'm an organization and I'm using the CLIO MFT software. Are there immediate actions I should be taking here to protect myself?

Mark Manglicmot

Number one, apply the latest patch. That's the most important thing you can do. And then stay up to date on if as this continues to evolve because you know these things usually have multiple different rounds that they go through. So stay up to date on the latest patch. Second thing to look at is autorun within Clio and see if you can harden that, configure that. Next thing is what are the access controls that you have for users and administrative privileges on your network. Working on those things and then making, you know, the final one I'd say is have security monitoring in place around any sort of trusted connections you have with other companies out there or software that is in place in order to help with your supply chain.

Dave Bittner

Yeah. I'm curious on your own personal insights here. I mean, as someone who's deeply involved with this stuff day to day, was there anything in particular that stood out to you about this particular campaign?

Mark Manglicmot

I think what's interesting about it is that it's a continuation of a trend in that we're seeing it go after file transfer technologies. We're seeing that they obfuscated it, used a PowerShell stager, Java Loader and then a backdoor. The combination of things there is interesting in how they're, they're not being overly brazen like we see some, some attackers are. They were trying to be a little bit stealthy with how they did things, which is a bit of an evolution on some of these managed file transfer attacks. In the past they're a little bit more smash, smash and grab. And this time they're trying to be a little bit more stealthy to get in there. That allows them to have more time to do reconnaissance and kind of look for lateral movement and then be more selective of who they go after for the ransomware attacks. So I think that's interesting and novel here and it's definitely something to keep an eye on as the trends evolve. Which makes it even more important that I mention again that companies apply the latest patches for these things out there because as attackers get deeper into these things, it can be more difficult for the security monitoring to catch stuff because it looks legitimate. So you have to rely on those companies to make sure that they're developing patches and you apply them.

Dave Bittner

Our thanks to Mark Manglikmaat from Arctic Wolf for joining us. The research is titled Cleopatra's Shadow, A Mass Exploitation Campaign Deploying a Java Backdoor through zero Day Exploit Exploitation of Clio MFT software. We'll have a link in the Show Notes and that's Research Saturday, brought to you by N2K CyberWire. You can find a link and additional resources in our Show Notes. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an email to cyberwire2k.com we're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin, Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next time.