There is news coming from the U.S. cyber community for organizations that use Cleo’s software products: if your organization or your vendors use Cleo’s Cleo Harmony, VLTrader, or LexiCom products, you may be at heightened risk of an active ransomware attack and data exfiltration campaign. On Friday, the U.S. Cybersecurity and Infrastructure Security Agency added a high-risk vulnerability to its known exploited vulnerabilities catalog, after the cybersecurity community identified threat actor activity involving that concern and another, critical vulnerability affecting Cleo software. Intelligence reports indicate that more than 200 organizations may be at risk of compromise.

Cl0p, a known cybercriminal organization, has taken public responsibility for identifying and actively exploiting these vulnerabilities. Cl0p is known for its successful attacks using other managed file transfer solutions, such as Accellion, GoAnyway, and MOVEit. The vulnerabilities Cl0p is exploiting may allow a threat actor to take total control over the software, and at least one cybersecurity vendor publicly has disputed whether both vulnerabilities have been patched. These may be significant vulnerabilities as scored under the Common Vulnerability Scoring System as 8.8 and 9.8, out of a maximum score of 10. The significance of the vulnerability in your organization depends on your use and application of your cyber controls. 

Organizations that use Cleo Harmony, VLTrader, and LexiCom should consider applying the latest patches and actively monitor for indicators of compromise involving the Cl0p exploit observed in the wild. Equally importantly, infosec teams should identify vendors using Cleo software and confirm that those vendors are also actively patching and monitoring for the indicators of compromise.