Author: Swarup

Security Advisory

Cleo Releases Patch for Critical Vulnerabilities Exploited in the Wild

Summary

OEM

Cleo

Severity

Critical

CVSS score

9.8

CVE

CVE-2024-55956, CVE-2024-50623

Exploited in Wild

Yes

Patch/Remediation Available

Yes 

Advisory Version

1.0

Overview

The Clop ransomware group has exploited critical vulnerabilities in Cleo’s Managed File Transfer (MFT) solutions, specifically targeting Cleo Harmony, VLTrader, and LexiCom. These vulnerabilities, identified as CVE-2024-50623 and CVE-2024-55956, allow unauthenticated attackers to execute arbitrary code on affected systems, leading to potential data breaches and system compromises.

Vulnerability Name

CVE ID

Product Affected

Severity

CVSS Score

Fixed Version

Unauthenticated Command Execution

CVE-2024-55956

Cleo products

Critical

9.8

5.8.0.24 or latest

Unrestricted File Upload/Download Vulnerability

CVE-2024-50623

Cleo products

Critical

9.8

5.8.0.24 or latest

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-55956

Cleo Harmony, VLTrader, LexiCom

This flaw enables unauthenticated users to import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory. Attackers can write a ZIP file containing a malicious XML file describing a new host. The malicious XML file contained a Mailbox action associated with the new host, which when run would execute an arbitrary OS command.

Execution of arbitrary commands, resulting in full system compromise.

CVE-2024-50623

Cleo Harmony, VLTrader, LexiCom

This vulnerability permits unauthenticated attackers to upload and download files without restrictions via the ‘/Synchronization’ endpoint. By uploading malicious files, attackers can achieve remote code execution. The exploitation involves writing malicious code to specific files, such as “webserverAjaxSwingconftemplatesdefault-pagebody-footerVL.html”, which is then leveraged to execute an attacker-controlled payload, potentially in the form of a webshell.

Unauthorized file manipulation and potential system compromise.

Remediations

  • Update Cleo Harmony, VLTrader, and LexiCom to the updated version 5.8.0.24 or latest one.

Recommendations

  • It is strongly advised to move any internet-exposed Cleo systems behind a firewall until patches are applied to prevent unauthorized exploitation.
  • Disable autorun files in Cleo software by clearing the “Autorun Directory” field under “Options” to limit the attack surface; this doesn’t resolve the file-write vulnerability.
  • Implement monitoring for signs of the “Cleopatra” backdoor and other malicious activities associated with Clop ransomware.
  • Conduct a thorough audit of your systems to identify any malicious files or abnormal system behavior associated with Cleo software. This includes checking logs, directories, and network traffic for unusual activities related to the known exploit chain.
  • If you have an EDR solution, block the attacker IPs associated with the exploit to prevent further external communication with compromised systems.
  • Ensure regular backups of critical data are performed and stored securely offline to facilitate recovery in case of any ransomware attack.

IOCs

Based on the research
These are the attacker IP addresses embedded in the encoded PowerShell

IP Address IOCs

File IOCs

176.123.5[.]126

60282967-dc91-40ef-a34c-38e992509c2c.xml

5.149.249[.]226

healthchecktemplate.txt

185.181.230[.]103

healthcheck.txt

209.127.12[.]38

181.214.147[.]164

192.119.99[.]42

References

Events

Future of Maritime Innovation at
METS Trade 2024; Intrucept

Maritime industry worldwide is witnessing massive changes in terms of continuous innovation and managing cyber risk on top priority list. In doing so enabling innovation becomes easier along with exploring various options that approaches and addresses cyber security in the maritime sector.

Now maritime professionals are ready to explore the latest industry trends and adopt solutions that dig deeper into maritime organizations’ challenges and priorities related to cyber security.

Intrucept Participates at the METS Trade 2024

Intrucept, a leader in cybersecurity solutions is excited to announce participation at the prestigious METS Trade 2024 in Amsterdam, Date Nov 19-21(2024).

This marks a significant step forward in transforming the maritime industry by combining the power of cutting-edge cybersecurity solutions.

About Intrucept: Ensuring Maritime Security in a Digital Age

As digital threats evolve, Intrucept is at the forefront of cyber security, providing comprehensive protection for maritime operations. From vessel systems to operational networks, we ensure that your fleet stays secure, resilient, and ready for the challenges of tomorrow.

Our solutions are designed to protect against cyberattacks, safeguard sensitive data, and maintain the integrity of vessel operations, all while enhancing overall business efficiency.

Why We’re Joining Forces at METS Trade 2024

At METS Trade 2024, we’ll be showcasing our unique partnership and how combining advanced cybersecurity with innovative engineering can provide unparalleled protection and efficiency for the maritime industry. Together, we are shaping the future of shipping — where digital security and operational excellence go hand in hand.

What You Can Expect from Our Joint Presence at METS 2024

Innovative cybersecurity solutions for shipping operations: Protect your vessels, data, and systems from the growing cyber threat landscape.

State-of-the-art shipping engineering technologies: Learn how we can optimize vessel performance, enhance fuel efficiency, and ensure compliance with global maritime standards.

Collaborative insights: Our team will be on hand to discuss how we can work together to make your operations safer, smarter, and more sustainable.

We invite you to visit our booth at METS Trade 2024 to explore how our solutions can help future-proof your business, improve operational resilience, and safeguard your digital infrastructure.

Details:

Event: METS Trade 2024

Dates: November 19-21, 2024

Location: Amsterdam RAI, Amsterdam, Netherlands

We look forward to meeting you and discussing how we can drive innovation, security, and efficiency in your maritime operations.

Cybersecurity News

Cybersecurity for Maritime Operations

Security Advisory

Palo Alto Account Takeover Vulnerability Actively Exploited

Summary

OEM

Palo Alto

Severity

Critical

Date of Announcement

2024-07-10

CVSS Score

9.3

CVE

CVE-2024-5910

CWE

CWE-306

Exploited in Wild

Yes

Patch/Remediation Available

Yes

Advisory Version

1.0

Overview

CISA has included the Palo Alto Networks Expedition tool Missing Authentication Vulnerability in its catalog of actively exploited vulnerabilities. Palo Alto’s Expedition is a migration tool designed to simplify the process of transferring configurations from other vendors to Palo Alto Networks. The issue is tracked under CVE-2024-5910. The vulnerability, which involves missing authentication for a critical function in Expedition, could allow attackers with network access to take over an admin account. This poses a risk to imported configuration secrets, credentials, and other sensitive data within Expedition.

Vulnerability Name

CVE ID

Product Affected

Severity

Fixed Version

Palo Alto Networks Expedition Missing Authentication Vulnerability

CVE-2024-5910

Expedition

Critical

Expedition 1.2.92 and all later versions

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-5910

Expedition from 1.2 before 1.2.92

The vulnerability, caused by missing authentication for an important function in Expedition, could allow attackers with network access to take over an admin account.

Account Takeover

Recommendations

  • Update Expedition to 1.2.92 and the latest versions to mitigate the issue.

General Recommendations

  • Restrict Network Access: Limit network access to Expedition to only trusted and authorized users, hosts, and networks.
  • Enable Strong Authentication: Implement strong authentication for all critical functions in Expedition, including multi-factor authentication (MFA) where possible.
  • Monitor Access Logs: Regularly monitor and review access logs to detect any unusual or unauthorized access attempts.
  • Stay Updated: Stay informed about the latest cybersecurity news and updates to keep track of emerging threats and vulnerabilities.

References

Security Advisory

Threat Campaign Targeting WordPress Sites with Malicious Plugins

A rapidly escalating cyber threat targeting WordPress sites with malicious plugins. Malicious actors are breaching WordPress websites to install rogue plugins, which display fake software updates and error messages. These are being used to distribute information-stealing malware.

Threat Overview

Since 2023, a malicious campaign known as ClearFake has been exploiting compromised websites to display fake browser update banners that trick users into downloading malware. This campaign evolved in 2024 with the introduction of ClickFix, a more advanced variant. ClickFix campaigns are more sophisticated and use fake error messages for browsers, web conferences, social media platforms, and even captcha pages to mislead users. The supposed “fixes” are actually PowerShell scripts designed to install malware capable of stealing sensitive information, such as login credentials.

                                   

An example ClickFix overlay pretending to be a Chrome error                        Fake Google update banner
Source: BleepingComputer                                                                                        Source: Randy McEoin

Recent Findings

Bleepingcomputer reported that over 6,000 WordPress sites have been compromised as part of this campaign. The attackers are installing malicious plugins that closely resemble legitimate ones, such as “Wordfence Security” or “LiteSpeed Cache,” to evade detection. These plugins secretly inject malicious JavaScript into the HTML of affected websites, leading to the display of fraudulent updates or error messages.

Here is the list of malicious plugins identified from June to September 2024:

LiteSpeed Cache Classic

Custom CSS Injector

MonsterInsights Classic

Custom Footer Generator

Wordfence Security Classic

Custom Login Styler

Search Rank Enhancer

Dynamic Sidebar Manager

SEO Booster Pro

Easy Themes Manager

Google SEO Enhancer

Form Builder Pro

Rank Booster Pro

Quick Cache Cleaner

Admin Bar Customizer

Responsive Menu Builder

Advanced User Manager

SEO Optimizer Pro

Advanced Widget Manage

Simple Post Enhancer

Content Blocker

Social Media Integrator

The threat actors appear to be utilizing stolen admin credentials to directly log into WordPress sites. These credentials are likely obtained through a combination of brute force attacks, phishing, or pre-existing malware infections. Once they gain access, the attackers are able to install these plugins without the need to visit the login page, streamlining the attack process.

Recommendations

If you are using a WordPress site, we recommend the following immediate actions:

  1. Ensure all the plugins installed are trusted, if anything suspicious remove them immediately.
  2. Keep your passwords to strong, unique ones that are not used anywhere else.
  3. Enable 2FA for all administrative users to protect against unauthorized access.
  4. Regularly review your access logs for any unusual login attempts or plugin installations etc.

Always stay vigilant and take proactive measures to protect your digital assets.

References

Security Advisory

Critical Fortinet Vulnerability Exploiting in Wild

Summary

OEM

Fortinet

Severity

Critical

Date of Announcement

2024-10-16

CVSS Score

9.8

CVE

CVE-2024-23113

CWE

CWE-134

Exploited in Wild

Yes

Patch/Remediation Available

Yes

Advisory Version

1.0

Overview

A Critical vulnerability (CVE-2024-23113) has been identified in the FortiOS fgfmd daemon, which enables unauthenticated attackers to remotely execute arbitrary code or commands. This flaw arises from a format string vulnerability (CWE-134) within the fgfmd daemon, where specially crafted requests can initiate arbitrary code execution, potentially resulting in full system compromise. Affected versions include multiple releases of FortiOS, FortiPAM, FortiProxy, and FortiWeb.

Vulnerability Name

CVE ID

Product Affected

Impact

CVSS Score

Fortinet Products Format Sting Vulnerability

CVE-2024-23113

FortiOS, FortiProxy, FortiPAM, FortiWeb

Critical

9.8

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-23113

FortiOS (7.4.0-7.4.2, 7.2.0-7.2.6, 7.0.0-7.0.13), FortiProxy (7.4.0-7.4.2, 7.2.0-7.2.8, 7.0.0-7.0.15), FortiPAM (1.2 and lower), FortiWeb (7.4.0-7.4.2)

The vulnerability lies in the fgfmd daemon’s handling of format strings in incoming requests, which can be exploited by remote attackers via crafted inputs. Exploitation of this flaw allows attackers to execute unauthorized code or commands on the affected systems.

Remote Code Execution (RCE)

Remediation

Fortinet has released security patches addressing this vulnerability. Here is the below patched versions for the Fortinet products.

  • FortiOS: Upgrade to version 7.4.3, 7.2.7, or 7.0.14 and above.
  • FortiProxy: Upgrade to version 7.4.3, 7.2.9, or 7.0.16 and above.
  • FortiPAM: Migrate to the latest supported version.
  • FortiWeb: Upgrade to version 7.4.3 and above.

Workarounds

It is strongly advised to upgrade to the latest secure versions of the affected products. As there are workarounds suggested by Fortinet team, here is the below.
  • Disable the fgfm access on affected interfaces using the following command:
      config system interface
      edit “portX”
      set allow access ping https ssh
      next
      end
  • Limit FGFM connections to trusted IPs using a local-in policy, which reduces the attack surface but does not fully eliminate the risk.

General Recommendations

  • Conduct regular vulnerability scans and ensure timely security updates of the applications.
  • Segment your network to reduce the potential impact of a compromise.

References

Security Advisory

Zimbra Remote Code Execution Vulnerability (CVE-2024-45519)

Summary

OEM

Zimbra

Severity

Critical

Date of Announcement

2024-10-02

CVSS Score

10.0

CVE

CVE-2024-45519

CWE

--

Exploited in Wild

Yes

Patch/Remediation Available

Yes

Advisory Version

1.0

Overview

A critical vulnerability (CVE-2024-29847) has been identified in Ivanti Endpoint Manager, allowing unauthenticated attackers to execute arbitrary code remotely. This flaw is due to a deserialization of untrusted data issue in the AgentPortal.exe service, specifically within the .NET Remote framework. Exploitation can allow attackers to perform file operations such as reading or writing files on the server, potentially leading to full system compromise.

Vulnerability Name

CVE ID

Product Affected

Impact

CVSS Score

Zimbra - Remote Command Execution

CVE-2024-45519

Zimbra Collaboration Suite (ZCS)

Critical

10.0

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-45519

Zimbra Collaboration Suite (ZCS) prior to 8.8.15 Patch 46, 9.0.0 Patch 41, 10.0.9, and 10.1.1

Attackers sent spoofed emails, appearing to be from Gmail, with base64-encoded malicious code in the CC field. This code tricks Zimbra server into executing it as shell commands instead of processing it as email addresses. The goal is to create a web shell on vulnerable servers, enabling remote access and control. Once installed, the web shell listens for specific cookie values to execute commands or download malicious files.

Complete remote control of the affected Zimbra instance.

Remediation

  • Patch Immediately
    • Administrators are strongly advised to update their Zimbra servers to the latest patched versions: 8.8.15 Patch 46, 9.0.0 Patch 41, 10.0.9, 10.1.1
  • Disable postjournal if unused
    • To minimize the attack surface, it is advisable to completely disable the postjournal service if your organization doesn’t require it.
  • Verify Network Configurations
    • Ensure that the mynetworks parameter is correctly configured to limit access to trusted IP ranges, preventing unauthorized access.
  • Monitor for Indicators of Compromise (IoCs)
    • Security teams should monitor network traffic and Zimbra server logs for unusual activity, such as connections from suspicious IP addresses (e.g., 79.124.49[.]86).

References

Scroll to top