The Clop ransomware gang has claimed responsibility for recent data theft attacks against Cleo, utilizing zero-day vulnerabilities in the company’s file transfer platforms. Cleo’s managed file transfer software—Cleo Harmony, VLTrader, and LexiCom—was targeted, enabling hackers to steal sensitive corporate data.
Clop ransomware targets Cleo data transfer platforms
In October 2023, Cleo addressed a security flaw identified as CVE-2024-50623, which allowed unrestricted file uploads and downloads, potentially leading to remote code execution attacks. However, a cybersecurity firm, Huntress, discovered that the original patch was ineffective, and attackers managed to exploit a bypass, resulting in ongoing data breaches. This breach included the uploading of a JAVA backdoor, which facilitated data theft and granted hackers further access to compromised networks.
Following the attack, the Cybersecurity and Infrastructure Security Agency (CISA) confirmed the exploitation of CVE-2024-50623 in recent ransomware activities. Cleo has not publicly acknowledged the exploitation of the vulnerability that was reportedly patched. While initial assessments linked these attacks to a new group named Termite, further investigation aligned them more closely with the activities of Clop.
The Clop ransomware group, also known as TA505 and Cl0p, has a track record of exploiting vulnerabilities in secure file transfer platforms. This strategy became prominent in 2020, beginning with a zero-day exploit in the Accellion FTA, impacting nearly one hundred organizations. In 2021, the group leveraged a zero-day vulnerability in SolarWinds Serv-U FTP software, further establishing its focus on these types of attacks.
In 2023, Clop employed a similar tactic against the GoAnywhere MFT platform, which allowed them to compromise data from more than 100 companies. Their most notorious operation involved exploiting a vulnerability in the MOVEit Transfer platform, resulting in data breaches across 2,773 organizations. The current attacks on Cleo are yet another chapter in Clop’s ongoing campaign targeting file transfer solutions, raising significant concerns among enterprises utilizing these platforms.
Hackers use US Marshals ransomware to steal secret documents from The U.S.
Cleo has remained largely silent regarding the extent of the impact, and it remains unclear how many organizations have been affected by the recent breaches. Reports indicate that Clop is focusing on new extortion efforts related to the recent Cleo attacks, declaring their intent to delete data associated with previous victims. A message from Clop’s extortion site stated that links to prior victim data would be disabled, with an emphasis on dealing only with new companies targeted in the Cleo exploits.
The United States State Department is pursuing Clop, linking them to foreign state actors and has issued a bounty of $10 million for information that leads to their capture.
“As for CLEO, it was our project (including the previous cleo) – which was successfully completed. All the information that we store, when working with it, we observe all security measures. If the data is government services, institutions, medicine, then we will immediately delete this data without hesitation (let me remind you about the last time when it was with moveit – all government data, medicine, clinics, data of scientific research at the state level were deleted), we comply with our regulations. with love © CL0P^_,” Clop told BleepingComputer.
Featured image credit: Wesley Ford/Unsplash
