Full Report
Arizona-based Western Alliance Bank is notifying nearly 22,000 customers their personal information was stolen in October after a third-party vendor's secure file transfer software was breached. [...]
Analysis Summary
The provided article focuses on a data breach notification from Western Alliance Bank and then pivots significantly to detail attacks conducted by the Clop ransomware gang exploiting vulnerabilities in Cleo software. Given the structure required, the summary will focus on the **Clop/Cleo Incident** as it contains detailed timeline/technique information, while acknowledging the Western Alliance Bank notification as context for impact disclosure.
# Incident Report: Clop Ransomware Exploitation of Cleo Software
## Executive Summary
The Clop ransomware gang exploited two zero-day vulnerabilities (CVE-2024-50623 and CVE-2024-55956) in Cleo software (LexiCom, VLTransfer, Harmony) starting around October/December, leading to unauthorized data exfiltration. The attack involved deploying a Java backdoor named "Malichus." While the specific impact on Western Alliance Bank is inferred via the notification, the primary technical details revolve around the exploitation of Cleo's Managed File Transfer (MFT) solutions.
## Incident Details
- Discovery Date: Late 2023/Early 2024 (Implied by patch dates in Oct/Dec)
- Incident Date: Initial exploitation activities occurred around October and December when vulnerabilities were disclosed and patched, respectively.
- Affected Organization: Western Alliance Bank is noted for a recent customer data breach notification (21,899 customers affected), but the technical details provided focus on **Cleo Software customers**.
- Sector: Financial Services (Western Alliance Bank); Technology/Data Transfer Services (Cleo)
- Geography: Not explicitly stated, but Clop is a global threat actor.
## Timeline of Events
### Initial Access
- **Date/Time:** Exploitation began around October 2023 (when the first vulnerability was patched) and continued through December 2023.
- **Vector:** Pre-authentication zero-day vulnerabilities in Cleo software (CVE-2024-50623 and CVE-2024-55956), affecting LexiCom, VLTransfer, and Harmony instances.
- **Details:** CVE-2024-50623 was an unrestricted file upload/download flaw. CVE-2024-55956 allowed for the deployment of a Java backdoor ("Malichus").
### Lateral Movement
- **Details:** Attackers used the deployed JAVA backdoor ("Malichus") to "execute commands, and gain further access to the victims' networks."
### Data Exfiltration/Impact
- **Details:** The primary impact was data theft ("data theft campaigns"). The inclusion of the Western Alliance Bank notification suggests customer PII/confidential data was compromised, affecting 21,899 customers.
### Detection & Response
- **How it was discovered:** Cleo detected the exploitation attempts and began issuing security advisories and patches in October and December.
- **Response actions taken:** Cleo released security updates for both zero-day flaws, warning customers to upgrade immediately.
## Attack Methodology (Based on Exploitation of Cleo Software)
- **Initial Access:** Exploitation of pre-auth zero-day vulnerability CVE-2024-50623 (Unrestricted File Upload/Download/RCE).
- **Persistence:** Installation of a malicious Freemarker template containing server-side JavaScript, leading to the deployment of the JAVA backdoor named "Malichus."
- **Privilege Escalation:** Not explicitly detailed, but gaining remote execution via a zero-day typically grants high initial privileges on the vulnerable application server.
- **Defense Evasion:** Exploiting zero-day flaws inherently bypasses existing security controls for which signatures do not yet exist.
- **Credential Access:** Not explicitly detailed.
- **Discovery:** Not explicitly detailed.
- **Lateral Movement:** Using the "Malichus" backdoor to execute commands and gain *further* access to the victims' networks.
- **Collection:** Data gathering necessary for exfiltration.
- **Exfiltration:** Data theft campaigns, characteristic of the Clop ransomware group's typical methodology.
- **Impact:** Data theft, leading to public breach notifications (e.g., Western Alliance Bank).
## Impact Assessment
- **Financial:** Costs associated with remediation, customer notification, and potential regulatory fines (Not quantified in the source).
- **Data Breach:** Data belonging to at least 21,899 Western Alliance Bank customers was compromised.
- **Operational:** Disruption due to patching and investigation related to affected Cleo MFT solutions.
- **Reputational:** Negative impact associated with data breach notifications in the financial sector.
## Indicators of Compromise
*(Note: No specific IOCs were provided in the text; indicators relate to the vulnerabilities exploited.)*
- **Network indicators:** Attempts to exploit vulnerabilities associated with Cleo software configurations.
- **File indicators:** Presence of the "Malichus" JAVA backdoor; malicious Freemarker template code.
- **Behavioral indicators:** Unusual file upload/download activity or command execution on Cleo application servers.
## Response Actions
- **Containment measures:** Customers were urged to upgrade immediately upon release of security advisories (October/December).
- **Eradication steps:** Removal of the "Malichus" Java backdoor and remediation of exploited software instances.
- **Recovery actions:** Not detailed, but would involve restoring affected Cleo instances and validating system security.
## Lessons Learned
- **Key takeaways:** Supply chain risk remains high, particularly concerning widely used MFT solutions (Cleo joins MOVEit, GoAnywhere, Accellion as a high-profile target). Zero-day vulnerabilities can be weaponized immediately upon discovery or before patches are widely adopted.
- **What could have been done better:** Organizations using this software needed immediate patch application following vendor alerts.
## Recommendations
- **Prevention measures for similar incidents:** Maintain an aggressive vulnerability management program prioritizing patching for known exploited vulnerabilities (KEVs). Implement network segmentation and least privilege access for MFT servers, as these often serve as high-value targets for initial compromise.