ESSGroupExploited: Critical Vulnerabilities in Cleo File Transfer Software Widespread Exploitation

Exploited: Critical Vulnerabilities in Cleo File Transfer Software Widespread Exploitation

Threat Overview

A recent threat report published by AlienVault highlights critical vulnerabilities in Cleo file transfer products, including VLTrader, Harmony, and LexiCom. These vulnerabilities are being actively exploited by attackers, who are dropping modular Java backdoors and conducting post-exploitation activities in customer environments.

Affected Versions

Affected versions include those prior to 5.8.0.24. Immediate patching and removal from public internet access are highly recommended.

Indicators of Compromise and Post-Exploitation Behavior

Indicators of compromise and post-exploitation behavior have been observed, including enumeration commands, PowerShell usage, and attempts to clear Windows event logs.

* Enumeration commands: Attackers use commands such as whoami and systeminfo to collect information about the target environment.
* PowerShell usage: Attackers utilize PowerShell to execute malicious commands and interactions with legitimate scripts.
* Attempts to clear Windows event logs: Attackers attempt to delete logs to avoid detection based on log data.\

Mitigation Strategies

To mitigate the risks associated with this threat, it is recommended that organizations implement the following measures:
* Ensure that all Cleo file transfer products are updated to version 5.8.0.24 or later.
* Remove Cleo software from public internet access to prevent exploitation.
* Implement strict security controls around access to sensitive systems and networks.
* Regularly monitor activity for suspicious commands and PowerShell usage.
* Use layered web and network security mechanisms to protect against attacks.

Security Best Practices

To prevent similar vulnerabilities in the future, follow these security best practices:
* Regularly update software packages to prevent exploitation by exploiting zero-day vulnerabilities
* Implement a patch management system to ensure all systems are up-to-date with the latest security patches.
* Use threat intelligence feeds and security information and event management (SIEM) systems to monitor for known threats and anomalies.

Conclusion

In conclusion, the recent threat report highlights the importance of regularly updating software packages and patching vulnerabilities. Implementing strict security controls and using layered web and network security mechanisms can help protect against similar attacks in the future. By staying informed about emerging threats and following best practices, organizations can improve their cybersecurity posture and reduce the risk of successful attacks.

Discover more from ESSGroup

Subscribe to get the latest posts sent to your email.

essadmin

16 Dec 2024

Comment 0

Categoty:
CTI News

Cyber Security

Threat

2FA/MFA

Android

Azure Active Directory

Boot-Net

Insider Threat

IOT

Linux

MacOS

Malware

Browser

Ransomware

USB

Scam

Vulnerability

Windows

Email Security

Phishing

Threat actors (ATP)

Report

Leave a ReplyCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Threat Overview

SHOE RACK is a sophisticated malware developed in Go 1.18, designed for post-exploitation activities. It connects to a custom SSH server at a hardcoded C2 URL, enabling remote interaction with the victim device. The malware utilizes DNS-over-HTTPS to locate its C2 server’s IP address and has been observed targeting FortiGate 100D series firewalls. SHOE RACK supports various channel types, including ‘session’ and a non-standard ‘jump’ type, allowing for reverse-SSH tunneling. It also offers TCP tunneling capabilities, enabling actors to pivot into LAN networks after compromising perimeter devices. While some operational security measures are implemented, the malware’s network communications are distinctive due to its impersonation of an outdated SSH version.

Detailed Analysis

SHOE RACK is a post-exploitation tool that provides remote shell access and TCP tunneling capabilities through compromised devices. The malware is written in Go 1.18, which is known for its efficiency and cross-platform compatibility. The use of Go allows the malware to be easily compiled for different operating systems, making it a versatile tool for attackers.

The malware connects to a custom SSH server at a hardcoded C2 URL. This server acts as the command and control center, allowing the attacker to send commands to the infected device and receive data back. The use of a custom SSH server ensures that the communication between the malware and the C2 server is encrypted, making it difficult for security tools to detect and analyze the traffic.

SHOE RACK utilizes DNS-over-HTTPS to locate its C2 server’s IP address. DNS-over-HTTPS is a protocol that encrypts DNS queries, making it difficult for attackers to intercept and manipulate DNS responses. By using DNS-over-HTTPS, the malware ensures that the location of the C2 server remains hidden from prying eyes.

The malware has been observed targeting FortiGate 100D series firewalls. These firewalls are commonly used in enterprise networks to provide security and network management. By compromising these devices, attackers can gain access to the internal network, allowing them to move laterally and compromise other systems.

SHOE RACK supports various channel types, including ‘session’ and a non-standard ‘jump’ type. The ‘session’ channel type allows the attacker to establish a remote shell on the infected device, providing direct access to the system. The ‘jump’ channel type is used for reverse-SSH tunneling, allowing the attacker to pivot into other networks after compromising a perimeter device.

The malware also offers TCP tunneling capabilities. TCP tunneling allows the attacker to create a secure tunnel between the infected device and the C2 server, enabling the transfer of data and commands. This capability is particularly useful for attackers who need to exfiltrate data from the compromised network.

Operational Security Measures

While SHOE RACK implements some operational security measures, its network communications are distinctive due to its impersonation of an outdated SSH version. This makes it easier for security tools to detect and analyze the malware’s traffic. Additionally, the use of a hardcoded C2 URL makes it difficult for the malware to adapt to changes in the network environment, potentially exposing the C2 server to detection and takedown.

Recommendations for Mitigation

Organizations can implement several measures to mitigate the threat posed by SHOE RACK. These include:

Network Segmentation: Implement network segmentation to limit the lateral movement of attackers within the network. This can be achieved by dividing the network into smaller segments and implementing strict access controls between segments.

Regular Updates: Keep all systems and software up to date with the latest security patches. This includes firewalls, operating systems, and applications. Regular updates help to address known vulnerabilities that can be exploited by malware like SHOE RACK.

Intrusion Detection Systems: Deploy intrusion detection systems (IDS) to monitor network traffic for signs of malicious activity. IDS can help to detect and alert on suspicious traffic patterns, allowing organizations to respond quickly to potential threats.

Endpoint Protection: Implement endpoint protection solutions to detect and block malware on individual devices. Endpoint protection can help to prevent the initial infection and limit the spread of malware within the network.

Security Awareness Training: Provide regular security awareness training to employees to help them recognize and report potential security threats. This can include phishing simulations, training on recognizing suspicious emails, and best practices for password security.

Regular Backups: Maintain regular backups of critical data to ensure that it can be restored in the event of a ransomware attack or data loss. Backups should be stored offline or in a separate network segment to prevent them from being encrypted or deleted by the malware.

Incident Response Plan: Develop and maintain an incident response plan to ensure that the organization can respond quickly and effectively to security incidents. The plan should include steps for containing the threat, investigating the incident, and restoring affected systems.

By implementing these measures, organizations can significantly reduce the risk of falling victim to SHOE RACK and other sophisticated malware threats