adulau/misp-circl-feed
1
0
Fork 0
Code Issues Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/5ac29be4-309c-436f-84ff-49dd4f98e940.json

335 lines
28 KiB
JSON
Raw Normal View History

chg: [feeds] updated
2024-12-27 11:52:46 +01:00
{
"Event": {
"analysis": "2",
"date": "2024-12-10",
"extends_uuid": "",
"info": "OSINT - Threat Advisory: Oh No Cleo! Cleo Software Actively Being Exploited in the Wild",
"publish_timestamp": "1733842710",
"published": true,
"threat_level_id": "3",
"timestamp": "1733842681",
"uuid": "5ac29be4-309c-436f-84ff-49dd4f98e940",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#004646",
"local": true,
"name": "type:OSINT",
"relationship_type": ""
},
{
"colour": "#0071c3",
"local": true,
"name": "osint:lifetime=\"perpetual\"",
"relationship_type": ""
},
{
"colour": "#0087e8",
"local": true,
"name": "osint:certainty=\"50\"",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": true,
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": true,
"name": "tlp:clear",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"",
"relationship_type": ""
},
{
"colour": "#3c4200",
"local": false,
"name": "vulnerability:exploitability=\"industrialised\"",
"relationship_type": ""
},
{
"colour": "#b5c500",
"local": false,
"name": "vulnerability:sighting=\"exploited\"",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1733840961",
"to_ids": false,
"type": "vulnerability",
"uuid": "e390ffc1-4643-4cb1-9879-81e690345f2d",
"value": "CVE-2024-50623"
}
],
"Object": [
{
"comment": "CVE-2024-50623: Enriched via the cve_advanced module",
"deleted": false,
"description": "Vulnerability object describing a common vulnerability enumeration which can describe published, unpublished, under review or embargo vulnerability for software, equipments or hardware.",
"meta-category": "vulnerability",
"name": "vulnerability",
"template_uuid": "81650945-f186-437b-8945-9f31715d32da",
"template_version": "8",
"timestamp": "1733840975",
"uuid": "82d226c3-f026-457f-bc31-2681363f32c9",
"ObjectReference": [
{
"comment": "",
"object_uuid": "82d226c3-f026-457f-bc31-2681363f32c9",
"referenced_uuid": "e390ffc1-4643-4cb1-9879-81e690345f2d",
"relationship_type": "related-to",
"timestamp": "1733840976",
"uuid": "81fb7f40-7657-4274-a27c-68e51a903585"
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "id",
"timestamp": "1733840975",
"to_ids": false,
"type": "vulnerability",
"uuid": "1e7fdf31-4876-402b-8b35-5b1d446b34d8",
"value": "CVE-2024-50623"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "summary",
"timestamp": "1733840975",
"to_ids": false,
"type": "text",
"uuid": "a667afa1-48f7-48e4-a761-b19d6afba7eb",
"value": "In Cleo Harmony before 5.8.0.20, VLTrader before 5.8.0.20, and LexiCom before 5.8.0.20, there is a JavaScript Injection vulnerability: unrestricted file upload and download could lead to remote code execution."
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "modified",
"timestamp": "1733840976",
"to_ids": false,
"type": "datetime",
"uuid": "e041830a-2c1c-45a7-9266-00e47ed20ee3",
"value": "2024-10-30T21:35:00+00:00"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "published",
"timestamp": "1733840976",
"to_ids": false,
"type": "datetime",
"uuid": "e7e851c9-66cd-4c04-9f90-e4060416291f",
"value": "2024-10-28T00:15:00+00:00"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "state",
"timestamp": "1733840976",
"to_ids": false,
"type": "text",
"uuid": "3b2b27d0-ed3c-40e8-a67c-99a39147fbbf",
"value": "Published"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "references",
"timestamp": "1733840976",
"to_ids": false,
"type": "link",
"uuid": "59656e76-433e-47bb-a91f-ff0dcb94850d",
"value": "https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory"
}
]
},
{
"comment": "Observed IP addresses for callbacks",
"deleted": false,
"description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.",
"meta-category": "network",
"name": "ip-port",
"template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6",
"template_version": "9",
"timestamp": "1733841010",
"uuid": "76f0ea51-6353-4d87-bc75-5361e67461ac",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ip",
"timestamp": "1733841010",
"to_ids": true,
"type": "ip-dst",
"uuid": "473ca882-9594-458e-9b41-6d0f41287282",
"value": "176.123.5.126"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ip",
"timestamp": "1733841010",
"to_ids": true,
"type": "ip-dst",
"uuid": "c155289b-5044-4e72-a709-bda5364ce11f",
"value": "5.149.249.226"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ip",
"timestamp": "1733841010",
"to_ids": true,
"type": "ip-dst",
"uuid": "ea52cc9c-2c86-4db3-8d88-0af90dd1c199",
"value": "185.181.230.103"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ip",
"timestamp": "1733841010",
"to_ids": true,
"type": "ip-dst",
"uuid": "ffc2df49-597c-4674-83ef-7ed27870e852",
"value": "209.127.12.38"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ip",
"timestamp": "1733841010",
"to_ids": true,
"type": "ip-dst",
"uuid": "671fc60a-50dd-4a15-91ba-9f6e1e303315",
"value": "181.214.147.164"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ip",
"timestamp": "1733841010",
"to_ids": true,
"type": "ip-dst",
"uuid": "05aff488-86cc-4c73-be2c-2257da0dc920",
"value": "192.119.99.42"
}
]
},
{
"comment": "Detects Powershell spawned from Cleo software. Evidence of unknown threat actor exploiting the CLEO tooling using this pattern observed in Dec 2024",
"deleted": false,
"description": "An object describing a Sigma rule (or a Sigma rule name).",
"meta-category": "misc",
"name": "sigma",
"template_uuid": "aa21a3cd-ab2c-442a-9999-a5e6626591ec",
"template_version": "1",
"timestamp": "1733841191",
"uuid": "b813daad-c8b3-4b84-86af-1d22cdce6dce",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1733841191",
"to_ids": false,
"type": "text",
"uuid": "ce63a48d-a1aa-4e96-a7bd-c35059bf3ee5",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sigma",
"timestamp": "1733841191",
"to_ids": true,
"type": "sigma",
"uuid": "9f5ef5aa-66a0-4738-bfe1-110723569a5e",
"value": "title: Possible Cleo MFT Exploitation 2024\r\nid: f007b877-02e3-45b7-8501-1b78c2864029\r\nstatus: experimental\r\ndescription: Detects Powershell spawned from Cleo software. Evidence of unknown threat actor exploiting the CLEO tooling using this pattern observed in Dec 2024.\r\nauthor: Tanner Filip, Austin Worline, Chad Hudson, Matt Anderson\r\nreferences: []\r\ndate: 2024/12/09\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection:\r\n ParentImage|endswith: '\\javaw.exe'\r\n Image|endswith: '\\cmd.exe'\r\n CommandLine|contains:\r\n - 'powershell'\r\n - ' -NonInteractive'\r\n - ' -noni '\r\n - ' -enc '\r\n - ' -EncodedCommand'\r\n ParentCommandLine|contains:\r\n - 'VLTrader'\r\n - 'lexicom'\r\n - 'Harmony'\r\n - 'VersaLex'\r\n\r\n condition: selection\r\nfalsepositives:\r\n - Unknown\r\nlevel: high"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a Sigma rule (or a Sigma rule name).",
"meta-category": "misc",
"name": "sigma",
"template_uuid": "aa21a3cd-ab2c-442a-9999-a5e6626591ec",
"template_version": "1",
"timestamp": "1733841235",
"uuid": "557b06ae-948d-4af8-9a10-99202f8a8b41",
"Attribute": [
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sigma",
"timestamp": "1733841235",
"to_ids": true,
"type": "sigma",
"uuid": "949851d7-4aae-410d-b0cc-03491f4dcff1",
"value": "title: Javaw Spawning Suspicious Powershell Commands\r\nid: a0ec945f-2328-40e9-96f6-27dadf72861b\r\nstatus: experimental\r\ndescription: Detects Javaw spawning suspicious powershell commands. This has been observed as possible post-exploitation activity of Cleo software.\r\nauthor: Chad Hudson, Matt Anderson\r\nreferences: []\r\ndate: 2024/12/09\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection:\r\n ParentImage|endswith:\r\n - '\\javaw.exe'\r\n Image|endswith:\r\n - '\\cmd.exe'\r\n cmdline:\r\n CommandLine|contains:\r\n - ' -nop'\r\n - ' -noni'\r\n - ' -NonInteractive'\r\n - ' -w hidden '\r\n - ' -windowstyle hidden*'\r\n - '(New-Object Net.WebClient).Download*'\r\n - ' -enc '\r\n - ' -EncodedCommand '\r\n powershell:\r\n CommandLine|contains: powershell\r\n condition: selection and cmdline and powershell\r\nfalsepositives:\r\n - Unknown\r\nDetects Javaw spawning suspicious powershell commands. This has been observed as possible post-exploitation activity of Cleo software."
}
]
}
],
"EventReport": [
{
"name": "Report from - https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild (1733841037)",
"content": "# Threat Advisory: Oh No Cleo! Cleo Software Actively Being Exploited in the WildDecember 9, 2024# Threat Advisory: Oh No Cleo! Cleo Software Actively Being Exploited in the Wild\r\n\r\nBy: Team Huntress\\|Contributors:John Hammond## Summary\r\n\r\nOn December 3, Huntress identified an emerging threat involving Cleo\u00e2\u0080\u0099s LexiCom, VLTransfer, and Harmony software, commonly used to manage file transfers. We\u00e2\u0080\u0099ve directly observed evidence of threat actors exploiting this software en masse and performing post\\-exploitation activity. Although Cleo published an update and advisory for CVE\\-2024\\-50623\u00e2\u0080\u0094which allows unauthenticated remote code execution\u00e2\u0080\u0094Huntress security researchers have recreated the proof of concept and learned the patch does not mitigate the software flaw.\r\n\r\n**TL;DR \\- This vulnerability is being actively exploited in the wild and fully patched systems running 5\\.8\\.0\\.21 are still exploitable. We strongly recommend you move any internet\\-exposed Cleo systems behind a firewall until a new patch is released.**\r\n\r\nBased on our analysis, all versions prior to and including 5\\.8\\.0\\.21 are vulnerable:\r\n\r\n* Cleo Harmony\u00c2\u00ae (5\\.8\\.0\\.21\\)\r\n* Cleo VLTrader\u00c2\u00ae (5\\.8\\.0\\.21\\)\r\n* Cleo LexiCom\u00c2\u00ae (5\\.8\\.0\\.21\\)\r\n\r\nOur team is working to reach the Cleo team to report our findings and develop a new patch to fully mitigate exploitation. This blog will be frequently updated as more details emerge.\r\n\r\n## Tradecraft We Observed\r\n\r\nThe three software solutions Harmony, VLTrader, and LexiCom are often installed in the root of the filesystem, as the suggested default in their installation process:\r\n\r\n````\r\nC:\\LexiCom \r\n\r\nC:\\VLTrader \r\n\r\nC:\\Harmony\r\n\r\n````We have also observed installation folders in the typical **\\[.highlight]C:\\\\Program Files (x86\\)\\[.highlight]** directory. Inside of the installation folder are numerous subdirectories, with some more pertinent to the tradecraft than others:\r\n\r\n**\\[.highlight]logs\\\\\\[.highlight]** \r\n\r\n**\\[.highlight]host\\\\\\[.highlight]** \r\n\r\n**\\[.highlight]autorun\\\\\\[.highlight]** \r\n\r\n(etc.)\r\n\r\nAs an example, we would find logs in a full path: **\\[.highlight]C:\\\\LexiCom\\\\logs\\\\LexiCom.xml\\[.highlight]**. Below is a record of the logs following threat actor exploitation:\r\n\r\nThere are multiple things to note in this log snippet:\r\n\r\n1. The first artifact of the attack chain is **\\[.highlight]autorun\\\\healthchecktemplate.txt\\[.highlight]**. \r\n \r\nAutorun files are immediately read, interpreted, and evaluated by LexiCom, Harmony, and VLTrader. **We believe this is one of multiple files dropped onto the filesystem via the arbitrary file\\-write vulnerability.** Files placed in the **\\[.highlight]autorun\\[.highlight]** folder are immediately deleted following their processing.\u00c2\u00a0 ***Note:*** *We have also seen* **\\[.highlight]autorun\\\\healthcheck.txt\\[.highlight]** *used as well.*\r\n2. A \u00e2\u0080\u009cWarning\u00e2\u0080\u009d on the second entry indicates this instance is running version **5\\.8\\.0\\.0**, which is the *unpatched* version. **Our proof\\-of\\-concept, which we will discuss below, successfully exploits version 5\\.8\\.0\\.21\\.**\r\n3. The **\\[.highlight]healthchecktemplate.txt\\[.highlight]** autorun looks to invoke \u00e2\u0080\u009cImport\u00e2\u0080\u009d functionality, which is native and natural functionality of the Cleo software. \r\n \r\nThe Import process reads in from a local file on disk. In this case, it loads **\\[.highlight]temp\\\\LexiCom6836057879780436035\\.tmp,\\[.highlight]** **which we believe to be a *second* file dropped via the arbitrary file\\-write vulnerability.** This .tmp file is actually a .ZIP file, containing a subdirectory **\\[.highlight]hosts\\[.highlight]** with an inner **\\[.highlight]mail.xml\\[.highlight]** file, as you see imported. \r\n \r\nThe **\\[.highlight]main.xml\\[.hi
"id": "829",
"event_id": "269946",
"timestamp": "1733841123",
"uuid": "8519fecc-c4ec-4b31-9fb6-ff3dfa37c293",
"deleted": false
}
]
}
}
Reference in a new issue Copy permalink