cleo_scan_external

Explanation

This NDM is designed to detect scanning for Cleo Managed File Transfer that is hitting the customer’s network from the Internet. Cleo offers a family of file transfer products, including Cleo Harmony, Cleo VLTrader, and Cleo LexiCom, that have been subject to vulnerability disclosures in the past.

What to Look For

Scanning activity on the Internet is quite commonplace. Traffic to Cleo Managed File Transfer port 5080 should be restricted to authorized sources and should not be exposed to the entire Internet.

Related MITRE ATT&CK Categories

Reconnaissance: Active Scanning, Technique T1595 - Enterprise