IT Brief UK - Technology news for CIOs & IT decision-makers
United Kingdom
Guides
#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things
Search
Story image
#
Malware
#
Cybersecurity
#
Windows

Arctic Wolf uncovers 0-day Cleo MFT vulnerability exploit

Today
Author image
By Sean Mitchell, Publisher

The Arctic Wolf Labs Threat Intelligence Teams have identified a new threat involving a 0-Day vulnerability in Cleo Managed File Transfer products.

In December 2024, Arctic Wolf Labs detected an extensive exploitation campaign targeting Cleo Managed File Transfer (MFT) products. The technique employed by the threat actors involved the use of an obfuscated PowerShell stager, a Java loader, and a Java-based backdoor now named Cleopatra.

The exploitation campaign began on 7th December 2024 and continues at present. Cleopatra has been designed to support in-memory file storage and operates across both Windows and Linux platforms. It is specifically engineered to access data stored in Cleo MFT software.

Although the campaign utilised various IP addresses as command and control destinations, it has been noted that the initial vulnerability scanning was conducted from just two IP addresses.

The Arctic Wolf Labs report, "Cleopatra's Shadow: A Mass Exploitation Campaign Deploying a Java Backdoor Through Zero-Day Exploitation of Cleo MFT Software," provides insights such as a visual timeline of exploitation clusters and details about the IP addresses that initiated the attacks. The report also connects known exploiter HTTP activity with the malicious PowerShell command and discusses Cleo-specific functions within the Cleopatra backdoor.

Mark Thomas, Director Security Services, ANZ at Arctic Wolf, offered advice for Australian organisations affected by this vulnerability: "Considering the recent public disclosure of a proof-of-concept exploit for the Cleo zero-day vulnerability, exploitation is now expected to become more widespread. We strongly encourage Australian organisations to take this zero-day vulnerability seriously and prioritise the fix ahead of the holidays. Arctic Wolf continues to see many organisations within the ANZ region failing to prioritise patch management to update zero-day vulnerabilities, which cyber criminals then exploit to gain access to credentials, systems and devices. Now that a fix is available, Australian organisations running Cleo software should upgrade to version 5.8.0.24 or newer as soon as possible."

Thomas also noted, "Notably, Arctic Wolf's Threat Labs Report earlier this year revealed that nearly 60% of business email compromise (which makes up 29.7% of the total cyber incidents investigated by the Lab Team) exploited a vulnerability identified in 2022 or earlier, meaning organisations had anywhere from months to years to patch the affected system or remove (or further safeguard) external access."

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Cybersecurity trends 2025: AI, supply chains, resilience
The imperative of cybersecurity in manufacturing
Open source malware up 156%, Sonatype research shows
iProov integrates biometrics with Microsoft Entra ID
Graphiant launches new service to secure data in motion
Top stories
AI's impact on cybersecurity: challenges & strategies
Umbraco predicts key CMS trends for 2025 including AI focus
HP unveils secure HP Elite t660 Thin Client for 2025
Q4 2024 report shows rise in tariff & agentic AI talks
Cloud costs: You cannot manage what you cannot see