TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Cleo Software Actively Being Exploited in the Wild | Huntress

2025-01-06 · Read original ↗

ATT&CK techniques detected

7 predictions
T1059.001PowerShell
99%
"##09c2c. xml file ( a name that looks to be reused across infections ) with an embedded powershell - encoded command is a definitive indicator of compromise. how huntress has responded we are actively detecting and neutralizing activity related to the exploit. to do so, we have t…"
T1059.001PowerShell
95%
"##057879780436035. tmp, which we believe to be a second file dropped via the arbitrary file - write vulnerability. this. tmp file is actually a. zip file, containing a subdirectoryhosts with an innermain. xml file, as you see imported. the main. xml file observed from in - the - …"
T1190Exploit Public-Facing Application
94%
"cleo software actively being exploited in the wild | huntress cve - 2024 - 55956 summary on december 3, huntress identified an emerging threat involving cleo ’ s lexicom, vltransfer, and harmony software, commonly used to manage file transfers. we ’ ve directly observed evidence …"
T1588.006Vulnerabilities
76%
"alexhost srl ) - moldova 5. 149. 249. 226 - as 59711 ( hz hosting ltd ) - netherlands 185. 181. 230. 103 - as 60602 ( inovare - prim srl ) - moldova 209. 127. 12. 38 - as 55286 ( server - mania / b2 net solutions inc ) - canada 181. 214. 147. 164 - as 15440 ( uab baltnetos komuni…"
T1059.006Python
75%
"figure 3 : view of vulnerable cleo server as seen on shodan the huntress proof of concept huntress communicated with cleo on december 9 after creating our proof of concept. over a zoom call, they confirmed our understanding and the recreation of the attack chain. principal securi…"
T1190Exploit Public-Facing Application
48%
"alexhost srl ) - moldova 5. 149. 249. 226 - as 59711 ( hz hosting ltd ) - netherlands 185. 181. 230. 103 - as 60602 ( inovare - prim srl ) - moldova 209. 127. 12. 38 - as 55286 ( server - mania / b2 net solutions inc ) - canada 181. 214. 147. 164 - as 15440 ( uab baltnetos komuni…"
T1547.001Registry Run Keys / Startup Folder
34%
"retrieve new jar files for continued post - exploitation. these jar files contain webshell - like functionality for persistence on the endpoint. we observed attackers later deleting these jar files post - execution in order to prolong their attacks and stay relatively stealthy. a…"

Summary

Huntress identified an emerging threat involving Cleo’s LexiCom, VLTransfer, and Harmony software, known as CVE-2024-55956, commonly used to manage file transfers. Read more about this emerging threat on the Huntress Blog.