Risky Business #774: Cleo File Transfer Appliances Under Widespread Attack

Release Date: December 11, 2024
Host: Patrick Gray
Co-Host: Adam Boileau
Guest: Jacob Torrey from thinkst Canary

Introduction

In episode #774 of Risky Business, hosts Patrick Gray and Adam Boileau delve into a series of pressing information security topics, with a primary focus on the widespread attacks targeting Cleo file transfer appliances. The episode also features an insightful interview with Jacob Torrey from thinkst Canary, who discusses innovative strategies for "defending off the land."

1. Cleo File Transfer Appliances Under Siege

Overview of the Vulnerability: Patrick Gray kicks off the episode by addressing the recurring issue of vulnerabilities in file transfer appliances, specifically those produced by Cleo. Adam Boileau explains the nature of the exploited bug:

Adam Boileau [00:56]: "The bug itself is basically an unauthenticated file upload that you can then leverage into command execution by uploading a particular kind of crafted file to a certain place that gets processed by the platform itself as like... you could run commands."

Impacted Products: The vulnerability affects several Cleo products, including Cleo Harmony, Cleo Vltrader, and Cleo Lexicom. Patrick humorously remarks:

Patrick Gray [03:02]: "It's funny that the three products here are Cleo Harmony, Cleo Vltrader, and Cleo Lexicom, which are just odd names for file transfer appliances. Cleo Harmony sounds like something you find in a pharmacy for women."

Adoption by Threat Actors: The Termite ransomware crew has been identified exploiting this vulnerability, marking their emergence in the ransomware landscape.

Patrick Gray [03:02]: "Termite has arrived as the new kid on the block of ransomware and data extortion."

Exposure and Impact: A Shodan search revealed approximately 1,300 Cleo file transfer appliances exposed online, creating a rich target environment for attackers.

Adam Boileau [04:14]: "There are kind of 1300 ish was the number that, you know, a fairly naive Shodan search turned up."

Security Implications: The incomplete patch released by Cleo has allowed the vulnerability to persist, with potential links to recent ransomware incidents in the supply chain sector.

Patrick Gray [03:55]: "And as we know from all of the other clop style intrusions into file transfer appliances, this can be a pretty good business on its own."

2. Additional Security News

a. Snowflake’s Move to Phasing Out Non-MFA Authentication: Following significant data breaches, Snowflake announced plans to eliminate non-MFA authentication by late 2025 to bolster security.

Patrick Gray [05:31]: "Snowflake is crushing non-MFA authentication by late 2025. That's a good thing."

b. Treasury Sanctions Against Sichuan Silence Information Technology Co. Ltd.: The U.S. Treasury has imposed sanctions on Sichuan Silence Information Technology Co. Ltd. and its employee Guan Tianfeng for providing exploit development and public sentiment suppression services.

Adam Boileau [08:41]: "They provide vulnerability development and exploit writing services. But the other treasury press release also says they provide, quote, public sentiment suppression products and services, which... that's dystopian."

c. Arrests Related to Scattered Spider: Remington Ogletree, a 19-year-old from Texas and Florida, becomes the sixth individual charged in relation to the Scattered Spider cybercrime group, following an FBI sting operation.

Patrick Gray [10:32]: "The FBI apparently went to speak to him... and then immediately went after the FBI visit to launder a bunch of cash."

d. Germany’s Crime Network Shutdown: A German individual was arrested for operating "Crime Network," an online marketplace for stolen data, drugs, and forged documents since 2012, affecting over 100,000 users.

Patrick Gray [11:39]: "What you call your underground crime website. You call it Crime Network because... that's what it is. It's a network for crime."

e. FCC’s Proposed Cybersecurity Regulations for Telcos: The FCC proposes integrating cybersecurity risk management into the Communications Assistance for Law Enforcement Act (CALEA), aiming to enhance defenses against unauthorized network access.

Patrick Gray [13:06]: "As part of your CALEA compliance, you need to make your networks more secure against foreign adversaries."

f. Cloudflare Tunnels Abused for Malicious Activities: Attackers, including Russian groups targeting Ukraine, are increasingly using Cloudflare tunnels, workers.dev, and pages.dev to facilitate command and control (C2) operations and phishing campaigns.

Patrick Gray [17:18]: "Attackers are using Cloudflare tunnels, which is a way to provision remote access to, like, servers that might be inside your environment."

g. TikTok’s Legal Battles and Election Interference: TikTok faces legal challenges in the U.S. over forced divestment from ByteDance and is implicated in the manipulation of Romanian elections through extensive bot-driven content.

Patrick Gray [22:26]: "The EU has demanded that TikTok freeze and preserve data involving this because there is going to be an investigation."

h. Cyber Attack on Romanian Electricity Distributor: An electricity distributor in Romania suffers a ransomware attack, raising concerns about potential connections to broader geopolitical tensions.

Adam Boileau [27:56]: "This is ransomware... the world is mad."

i. Supply Chain Attack Leading to Crypto Theft: A backdoor inserted into a Solana blockchain JavaScript library resulted in the theft of $155,000 worth of cryptocurrency within five hours before detection.

Patrick Gray [28:48]: "It does highlight the dangers of supply chain attacks, especially in rapidly evolving ecosystems like cryptocurrency."

j. Attack on AMD’s Secure Execution Environment: Research reveals a method to subvert AMD’s Secure Encrypted Virtualization by manipulating RAM addresses, potentially allowing unauthorized access to virtual machines.

Adam Boileau [32:06]: "They modified the RAM chips to over report their size, allowing two addresses to point to the same memory location."

k. Positive Technology’s DMA via SD Cards: Positive Technology demonstrates a DMA-based attack using SD cards with PCIe bus mastering, expanding the vectors for direct memory access exploitation.

Adam Boileau [34:53]: "Positive has done it with SD cards... allowing direct memory access through the SD card interface."

l. Telegram’s Initiative Against CSAM: Telegram collaborates with foundations to enhance the detection and removal of Child Sexual Abuse Material (CSAM) from its platform, marking a shift from its previous stance.

Patrick Gray [36:39]: "Telegram is now starting to cooperate, providing access, which is great."

m. Apple Sued Over Abandoned CSAM Scanning Feature: Apple faces a $1.2 billion lawsuit from victims of CSAM for withdrawing its client-side scanning proposal intended to secure encrypted iCloud data.

Patrick Gray [37:35]: "Apple is being sued for abandoning client-side scanning for CSAM, which was intended to make encrypted iCloud safe."

n. OpenWRT’s Cloud Build Compromised: A Japanese researcher exploited a vulnerability in OpenWRT’s cloud build service to distribute backdoored firmware images, although no evidence suggests widespread exploitation.

Adam Boileau [40:37]: "The researcher found a way to control the build process by causing hash collisions, allowing the distribution of custom firmware."

o. Firefox Discontinues Do Not Track Feature: Firefox has officially removed the Do Not Track feature, acknowledging that it can inadvertently facilitate tracking rather than prevent it.

Patrick Gray [43:35]: "Firefox's blog post points out that Do Not Track actually in some instances makes it easier to track you."

3. Interview with Jacob Torrey: Defending Off the Land

Introduction to Defending Off the Land: Jacob Torrey from thinkst Canary introduces the concept of "defending off the land," focusing on leveraging existing system capabilities to enhance security without relying on additional tools.

Jacob Torrey [47:56]: "We're talking about defending off the land... utilizing primitives available on Windows to harden and improve visibility."

Sensitive Command Tokens: Jacob explains how sensitive command tokens set up hooks to alert administrators when specific, rarely used commands are executed, serving as effective canary tokens.

Jacob Torrey [49:15]: "This is essentially a canary token that allows you to put these traps down for attackers who land on a legitimate box."

Techniques Discussed:

• RDP and WinRM Certificate Tokens: By configuring certificates with specific properties, unauthorized access attempts via RDP or WinRM can trigger alerts.

  Jacob Torrey [52:12]: "Anyone using RDP... gives you some visibility when people are trying to WinRM or WMI or PS remoting into your system."

• Projected File Systems: Creating fake file systems that, when accessed, notify administrators of potential intrusions.

  Jacob Torrey [54:55]: "You can create file systems out of thin air... and get alerts when someone accesses them."

• Privilege Manipulator Apps: Designing OAuth/IPD applications that appear legitimate but trigger alerts when interacted with.

  Jacob Torrey [56:02]: "Moving that more into the kind of M365 Okta IDP realm... it alerts when someone interacts with it."

Scalability and Management: Jacob discusses plans for scaling these techniques, including releasing open-source scripts and integrating them with canarytokens.org for easier deployment and management.

Jacob Torrey [60:05]: "Some of these are very much going to be from the dropdown list on canarytokens.org... others will be open source scripts and tools for people to play with."

4. Conclusion

As the episode wraps up, Patrick and Adam reflect on the tumultuous year in information security, highlighting significant events and contemplating future developments. They announce a brief hiatus for the podcast, ensuring listeners stay tuned for more insightful discussions in the coming months.

Patrick Gray [62:19]: "That is it for this week's show. I do hope you enjoyed it. We'll be back next week with more security news and analysis, but until then, I've been Patrick Gray. Thanks for listening."

Key Takeaways

• Cleo Appliances Vulnerability: A critical unauthenticated file upload bug in Cleo's file transfer products is being exploited by the Termite ransomware crew, affecting over a thousand devices exposed online.

• Evolving Threat Landscapes: From ransomware attacks leveraging infrastructure vulnerabilities to sophisticated supply chain and phishing schemes using trusted services like Cloudflare.

• Regulatory and Legal Battles: Ongoing disputes involving major tech companies like TikTok and Apple highlight the intersection of cybersecurity, privacy, and legislative actions.

• Innovative Defense Mechanisms: Jacob Torrey's discussion on "defending off the land" showcases proactive strategies for organizations to detect and mitigate intrusions using built-in system features.

This comprehensive summary encapsulates the critical discussions, insights, and future implications presented in episode #774 of Risky Business, providing valuable information for information security professionals and enthusiasts alike.