Clop Ransomware Gang Admits to Cleo Data Breach Attacks

December 15, 2024

The Clop ransomware group has publicly confirmed its involvement in recent data-theft attacks on Cleo, a company that develops managed file transfer platforms. They used zero-day vulnerabilities to infiltrate corporate systems and exfiltrate data. Cleo, which develops platforms like Cleo Harmony, VLTrader, and LexiCom for secure file exchanges between businesses and customers, patched a vulnerability (CVE-2024-50623) in October that permitted unrestricted file uploads and downloads, leading to potential remote code execution. However, cybersecurity company Huntress found last week that the initial patch was not wholly effective and threat actors were exploiting a bypass to carry out data theft attacks.

The threat actors exploited the vulnerability to upload a JAVA backdoor, facilitating data theft, command execution, and further access to the compromised network. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed that the critical CVE-2024-50623 vulnerability in Cleo's software has been utilized in ransomware attacks. However, Cleo did not publicly disclose that the original flaw they attempted to fix was exploited.

While it was initially believed that the attacks were conducted by the Termite ransomware gang, the exploitation techniques used matched those previously used by the Clop ransomware gang. After reaching out to Clop, the gang confirmed that they were responsible for the recent exploitation of the Cleo vulnerability detected by Huntress and the original CVE-2024-50623 flaw. The ransomware group has now announced that they are deleting data associated with past attacks from their data leak server and will only work with new companies breached in the Cleo attacks.

The Clop ransomware gang has a history of targeting previously unknown vulnerabilities in secure file transfer platforms for data theft attacks. In December 2020, they exploited a zero-day in the Accellion FTA secure file transfer platform, impacting nearly 100 organizations. In 2023, they exploited a zero-day in the GoAnywhere MFT platform, stealing data from over 100 companies. Their most significant attack was using a zero-day in the MOVEit Transfer platform, which enabled them to steal data from 2,773 organizations, as reported by Emsisoft.

At the moment, the extent of the impact of the Cleo data theft attacks is unclear, and there is no information about any companies confirming a breach through the platform.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.