Data and personal information shared through a third-party file transfer system is potentially at risk, according to recent alerts issued by the Canadian Centre for Cyber Security and the U.S. Cybersecurity and Infrastructure Security Agency.[1]

In cases where data is compromised, for example, via ransomware attacks, the ultimate accountability and responsibility for the data lies with the organization that has custody and control of the data. This means organizations who use these third-party tools remain accountable to the individuals to whom the personal information pertains, including potential legal notifications.

Discovered zero-day vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency has reported the discovery of serious vulnerabilities in Cleo’s managed file transfer platforms, including Cleo Harmony, VLTrader, and LexiCom.[2] These widely used platforms for secure file exchanges have been actively exploited by cybercriminals, including the Clop ransomware gang. The vulnerabilities, identified as CVE-2024-50623 and CVE-2024-55956, enable unauthorized access to sensitive data, resulting in breaches and data theft.[3]

Vulnerabilities and exploits

  1. CVE-2024-50623: This flaw, disclosed in October 2024, enables unrestricted file uploads and downloads, allowing remote code execution. Despite a patch, attackers continue exploiting it via a backdoor.
  2. CVE-2024-55956: Discovered in December 2024, this vulnerability allows attackers to upload arbitrary files, including a JAVA backdoor (“Malichus”), enabling data theft and further access to compromised networks.

Both vulnerabilities are being actively targeted by the Clop ransomware gang, posing a serious risk due to their high level of severity.[4]

Immediate actions to take

  1. Update Your Systems: Ensure that you are using the latest versions of Cleo Harmony, VLTrader, and LexiCom (version 5.8.0.24 or higher).[5]
  2. Monitor for Signs of Compromise: Be vigilant for unusual activities within your network, such as unexplained file uploads or changes in file integrity.
  3. Assess Vendor Risk: If your vendors use Cleo products, it is crucial to confirm that they have applied the necessary patches and are actively monitoring their systems for signs of attack. Ensure that your third-party risk management processes include checks on vendor cybersecurity practices.[6]
  4. Review Data Access Protocols: Implement stricter access controls and enable multi-factor authentication (MFA).
  5. Consult with Experts: Contact your cybersecurity team if you suspect a breach.
  6. Prepare for Ransomware Protection: Regularly test backups and review your incident response plan.

Conclusion

The exploitation of these vulnerabilities poses a critical data security threat. Implement the necessary updates and security practices to protect your organization from potential breaches.

If you have any questions or would like further information regarding how your organization can enhance its cybersecurity and data protection strategies, please contact a member of the Miller Thomson LLP Technology, IP and Privacy Group.

[1] Canadian Centre for Cyber Security, “Alert – Vulnerability impacting all versions of Cleo VLTrader, Harmony, and LexiCom software” (December 11, 2024), online: Government of Canada <www.cyber.gc.ca/en/alerts-advisories/vulnerability-impacting-all-versions-cleo-vltrader-harmony-and-lexicom-software>. See also Lawrence Abrams, “Clop ransomware claims responsibility for Cleo data theft attacks” (December 15, 2024), online: BleepingComputer <www.bleepingcomputer.com/news/security/clop-ransomware-claims-responsibility-for-cleo-data-theft-attacks/>.

[2] Mathew J Schwartz, “Clop Ransomware Takes Responsibility for Cleo Mass Exploits” (December 16, 2024), online: Gov Info Security <www.govinfosecurity.com/clop-ransomware-takes-responsibility-for-cleo-mass-exploits-a-27074>.

[3] Scott T Lashway et al., “Patch, Investigate, and Defend: Critical and High Vulnerabilities in Cleo Managed File Transfer Solutions Reportedly Under Attack” (December 17, 2024), online: National Law Review <natlawreview.com/article/patch-investigate-and-defend-critical-and-high-vulnerabilities-cleo-managed-file>.

[4] Ibid.

[5] Scott T Lashway et al., supra note 3.

[6] Ibid.