The Clop ransomware group has claimed responsibility for compromising the data of 59 companies by exploiting a vulnerability in Cleo’s file transfer products. The attackers listed information about their victims on their dark web site, urging companies to initiate negotiations. If they fail to comply, Clop has threatened to release all the stolen data on January 18.
Initial reports of the breach surfaced in mid-December, when Clop infiltrated Cleo’s systems, though the full scale of the attack was not immediately clear. Notably, the list of 59 companies is likely incomplete, as the hackers had previously issued ultimatums to 66 organizations. It is suspected that negotiations with some victims may have led to their removal from the leaked list.
The vulnerability in question, CVE-2024-50623, carries a severity score of 8.8 on the CVSS scale and has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. The flaw arises from a lack of restrictions on file uploads and downloads, enabling remote code execution on affected systems. Products at risk include LexiCom, Harmony, and VLTrader versions prior to 5.8.0.21.
Cleo has released a patch, urging clients to immediately update to version 5.8.0.21. However, researchers from Huntress have discovered that even fully patched systems remain vulnerable. Experts have observed widespread exploitation of the vulnerability and significant post-exploitation activity.
Clop claims that many organizations ignored their attempts to make contact and warns that the stolen data will be published on January 18, 2025. Among the named companies is the major brand Hertz, though Hertz representatives have stated that they have not yet detected any signs of data breaches or system compromises.
Clop has a history of successfully targeting file transfer software, having exploited vulnerabilities in MOVEit Transfer, GoAnywhere, Serv-U, and Accellion FTA in the past, underscoring their prominence in this domain.
