Clop Ransomware Gang Exploits Cleo Vulnerability, Impacts Major Companies
The cyber group Clop has claimed responsibility for the recent attacks on Cleo Harmony, VLTrader, and LexiCom platforms, which are utilized for secure file transfers. The attackers exploited the CVE-2024-50623 vulnerability, initially patched in October but later discovered to have a bypass.
Cleo’s solutions ensure automation, monitoring, and the protection of file operations, making them highly sought after in industries where confidentiality and reliability in data transmission are paramount. However, the recent incidents have cast doubt on the platforms’ security integrity.
On December 9, experts from Huntress reported that Cleo’s initial security measures proved insufficient. The threat involved the deployment of a Java-based backdoor, enabling the theft of data, command execution, and unauthorized access to corporate networks.
CISA has confirmed the active exploitation of Cleo’s vulnerability for ransomware attacks. However, Cleo itself has not publicly disclosed that the previously patched flaw had already been leveraged by malicious actors.
The attack was initially attributed to a new group called Termite, but Huntress data revealed methodological similarities to Clop’s operations. Representatives of Clop later personally admitted their involvement, asserting to journalists that they “care” about data security and have deleted sensitive information pertaining to government agencies, healthcare, and scientific research.
Additionally, Clop posted on their website that all links to previously stolen data have been deactivated and the information destroyed. Moving forward, the group announced their intent to focus solely on new targets related to Cleo attacks.
Clop specializes in exploiting previously unknown vulnerabilities in file transfer platforms. Their notable victims include Accellion FTA, SolarWinds Serv-U, and MOVEit Transfer. In the latter case, the attackers exfiltrated data from over 2,700 organizations.
At the time of publication, the number of companies affected by the Cleo attacks remains undisclosed. The U.S. State Department has offered a reward of $10 million for information linking Clop to foreign governments.
