October 2022: Mandiant discoveries point to Cleo file-transfers being traced back to October
In a significant development in the world of cybersecurity, Mandiant Consulting has revealed the active exploitation of a vulnerability in Cleo file transfer software, marking the infiltration at least a month earlier than previously observed by other researchers. This announcement was made by Mandiant Consulting's Chief Technology Officer, Charles Carmakal, in a LinkedIn post on Wednesday.
The vulnerability, identified as CVE-2024-55956, poses a threat to approximately 1,011 hosts running an unpatched version of Cleo software prior to 5.8.0.24. If exploited, this vulnerability could potentially allow threat actors to gain unauthorized access, steal sensitive data, or disrupt operations.
The threat group responsible for this exploitation, UNC5936, has been linked to multiple high-profile campaigns, including the exploitation of Accellion FTA in 2021, SolarWinds Serv-U in 2021, Fortra GoAnywhere in 2023, and Progress Software's MOVEit in 2023. However, it's important to note that the term "UNC5936" is not widely recognized in publicly available sources, suggesting it may refer to a specific entity or group that is not well-documented outside of specialized cybersecurity reports or internal investigations.
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-55956 to its known exploited vulnerabilities catalog, underscoring the urgency for affected organisations to apply the available patch.
So far, there is no evidence of mass data theft, as observed in prior campaigns by UNC5936 or its associated group, FIN11, also known as Clop. However, researchers have traced the exploitation of this critical vulnerability back to October, and there is a possibility that UNC5936 may deploy ransomware in the future. It's also worth noting that CVE-2024-55956 has been used in ransomware campaigns.
Cleo officials were not immediately available for comment. Organisations using Cleo file transfer software are advised to update to the latest version to mitigate the risk of this vulnerability.
This latest development serves as a reminder of the constant evolving threat landscape in the cyber world and the importance of staying vigilant and up-to-date with the latest security patches.
- The cybersecurity threat landscape continues to evolve with the recent disclosure by Mandiant Consulting of a vulnerability in Cleo file transfer software, identified as CVE-2024-55956, which if left unpatched could potentially lead to unauthorized access, data theft, or operational disruptions, akin to past ransomware attacks.
- In light of Mandiant Consulting's announcement and CISA's placement of CVE-2024-55956 in its known exploited vulnerabilities catalog, it is crucial for organizations using Cleo file transfer software to promptly update to the latest version to ensure cybersecurity and prevent potential cybercrime activities.
- The ongoing usage of CVE-2024-55956 in ransomware campaigns suggests a heightened need for awareness and vigilance in the general-news and crime-and-justice sectors, as the threat group responsible, UNC5936, remains active and connected to some of the most significant cybersecurity breaches in recent years.
