Clop Ransomware Claims Responsibility for Widespread Cleo Data Theft
The Clop ransomware gang has publicly admitted responsibility for the recent wave of data theft attacks targeting Cleo, a prominent provider of managed file transfer platforms.
This confirmation comes after cybersecurity researchers and government agencies linked the attacks to the notorious ransomware group. The attacks exploited critical vulnerabilities in Cleo’s software, highlighting the significant risk posed by unpatched software and the sophisticated tactics employed by advanced threat actors.
Technical Details of the Cleo Data Theft Attacks
The attacks leveraged zero-day vulnerabilities in Cleo Harmony, VLTrader, and LexiCom—file transfer platforms used by organizations to securely exchange files with business partners and customers.
Initially, a vulnerability tracked as CVE-2024-50623, allowing unrestricted file uploads and downloads, leading to remote code execution, was patched by Cleo in October. However, a subsequent discovery by Huntress revealed that the original patch was incomplete, leaving a critical bypass exploitable by threat actors.
Exploiting this bypass, attackers uploaded a JAVA backdoor, providing them with extensive access to compromised networks. This backdoor enabled the theft of sensitive data, execution of arbitrary commands, and further lateral movement within the victim’s infrastructure.
The Cybersecurity and Infrastructure Security Agency (CISA) confirmed the exploitation of CVE-2024-50623 in ransomware attacks, underscoring the severity of the vulnerability and the impact of the Clop ransomware attacks.
Clop’s Statement and Actions
In a statement to BleepingComputer, Clop confirmed its involvement, stating, “As for CLEO, it was our project (including the previous cleo) – which was successfully completed. All the information that we store, when working with it, we observe all security measures. If the data is government services, institutions, medicine, then we will immediately delete this data without hesitation (let me remind you about the last time when it was with moveit – all government data, medicine, clinics, data of scientific research at the state level were deleted), we comply with our regulations. with love © CL0P^_”.
Further, Clop announced on its CL0P^_- LEAKS extortion site that all links to data from previous attacks would be disabled and the data permanently deleted. This unprecedented move, seemingly intended to improve their public image, was followed by a message wishing “Happy New Year” to all victims. However, the ransomware group will continue to work with new companies breached in the Cleo attacks.
Clop’s History of Targeting File Transfer Platforms
The Clop ransomware gang, also known as TA505 and Cl0p, has a history of exploiting vulnerabilities in secure file transfer platforms for data theft. This pattern started in 2020 with the exploitation of a zero-day in Accellion FTA, impacting nearly 100 organizations. Subsequent attacks targeted SolarWinds Serv-U FTP software and GoAnywhere MFT platform, resulting in data breaches affecting numerous companies.
Their most significant attack to date involved the exploitation of a zero-day in the MOVEit Transfer platform, impacting a staggering 2,773 organizations, according to an Emsisoft report. The Cleo data theft represents a continuation of this pattern, highlighting the group’s focus on this specific attack vector.
The Ongoing Investigation and Impact
While Clop has claimed responsibility, the exact number of companies affected by the Cleo data theft attacks remains unclear.
The U.S. State Department’s Rewards for Justice program continues to offer a $10 million bounty for information linking Clop ransomware attacks to a foreign government, underscoring the seriousness of the threat posed by this group and the Cleo data theft.
The exploitation of zero-day vulnerabilities in widely used software like Cleo’s file transfer platforms highlights the need for continuous vigilance and proactive security measures. The ongoing investigation into the Cleo data theft and Clop ransomware’s activities will likely reveal further details about the scope and impact of this significant cybercrime event.
