The Clop ransomware gang has claimed responsibility for breaching data from at least 66 companies, exploiting a vulnerability in Cleo Software’s file transfer tools. This incident, reported on December 25, 2024, highlights the gang’s ongoing campaign targeting vulnerable corporate systems. Clop announced that victims have 48 hours to comply with their ransom demands, failing which they will release the full names of the affected companies.
Clop ransomware gang exploits Cleo software affecting 66 companies
The breach centers on a zero-day vulnerability known as CVE-2024-50623, affecting Cleo’s LexiCom, VLTransfer, and Harmony products. This flaw permits remote file uploads and downloads, leading to potential remote code execution. Cleo confirmed that its software is utilized by over 4,000 organizations globally, suggesting a larger pool of companies could be at risk. Previous hacks by Clop included similar exploits aimed at the Accellion, GoAnywhere, and MOVEit platforms.
Clop’s recent actions mark a significant escalation, as they have directly contacted victims, providing secure channels for ransom negotiations. The gang published partial names of affected companies on their dark web site, claiming that the current list only reflects those who have not engaged with them. This further alludes to the possibility that the number of compromised companies could be higher than reported.
Cleo has warned clients about the active exploitation of the CVE-2024-50623 vulnerability and has released patches for its software. However, cybersecurity researchers have raised concerns that these fixes might be susceptible to bypass. Huntress disclosed this vulnerability earlier this month, alerting users of ongoing exploitation efforts by hackers. The potential implications of this vulnerability are compounded by Clop’s confirmation of exploiting the flaw to facilitate their latest data theft operations.
Starbucks restores systems after Blue Yonder ransomware attack
Macnica’s Yutaka Sejiyama told Bleeping Computer that even with incomplete names of companies, cross-referencing with publicly available data on Cleo servers could reveal some of the victims. As the situation develops, there remains uncertainty surrounding how many organizations may ultimately fall victim to this attack and what measures will be taken to address these vulnerabilities.
Clop has a notorious history of leveraging zero-day vulnerabilities to infiltrate corporate networks, as evidenced by their prior hacks connected to other popular file transfer platforms. The stolen data from these incidents often serves as leverage for ransom payments, as companies strive to avoid the public exposure of sensitive information. In this latest attack, Clop explicitly stated the urgency for companies to respond to their demands, underlining their intent to release full names of victims who do not engage.
The strategies employed by the Clop gang reflect a sophisticated understanding of corporate cybersecurity protocols, often targeting critical software solutions that facilitate large data transfers.
Featured image credit: Kerem Gülen/Midjourney
