Clop ransomware claims responsibility for Cleo data theft attacks

The Clop ransomware gang has confirmed to BleepingComputer that they are behind the recent Cleo data-theft attacks, utilizing zero-day exploits to breach corporate networks and steal data.

Cleo is the developer of the managed file transfer platforms Cleo Harmony, VLTrader, and LexiCom, which companies use to securely exchange files between their business partners and customers.

In October, Cleo fixed a vulnerability tracked as CVE-2024-50623 that allowed unrestricted file uploads and downloads, leading to remote code execution.

However, cybersecurity firm Huntress discovered last week that the original patch was incomplete and threat actors were actively exploiting a bypass to conduct data theft attacks.

While exploiting this vulnerability, the threat actors were uploading a JAVA backdoor that allowed the attackers to steal data, execute commands, and gain further access to the compromised network.

On Friday, ​CISA confirmed that the critical CVE-2024-50623 security vulnerability in Cleo Harmony, VLTrader, and LexiCom file transfer software has been exploited in ransomware attacks. However, Cleo never publicly disclosed that the original flaw they attempted to fix in October was exploited.

Clop claims responsibility for Cleo data theft attacks

Supply chain company Blue Yonder was recently attacked by the Termite ransomware gang and it is thought that they were breached through a Cleo server that was exposed to the Internet. However, the Cleo data theft attacks tracked more closely to previous attacks conducted by the Clop ransomware gang.

It was thought that Clop may have rebranded as Termite or was linked to the newer ransomware gang but it is unclear at this time and both operations appear to be running independently.

After contacting Clop on Tuesday, the ransomware gang confirmed to BleepingComputer that they are behind the recent exploitation of the Cleo vulnerability detected by Huntress as well as the exploitation of the original CVE-2024-50623 flaw fixed in October.

The extortion gang has now announced that they are deleting data associated with past attacks from their data leak server and will only work with new companies breached in the Cleo attacks.

"Dear companies, Due to recent events (attack of CLEO) all links to data of all companies will be disabled and data will be permanently deleted from servers. We will work only with new companies," reads a new message on the gang's CL0P^_- LEAKS extortion site.

"Happy New Year © CL0P^_ all of the victims from their data leak site."

BleepingComputer asked Clop when the attacks began, how many companies were impacted, and if Clop was affiliated with the Termite ransomware gang, but did not receive a response to these questions.

BleepingComputer also contacted Cleo on Friday to confirm if Clop was behind the exploitation of the vulnerabilities but did not receive a response.

Specializing in security file transfer zero-days

Targeting previously unknown vulnerabilities in secure file transfer platforms for data theft attacks has become a specialty of the Clop threat actors.

In December 2020, Clop exploited a zero-day in the Accellion FTA secure file transfer platform, which impacted nearly one hundred organizations.

In 2023, Clop exploited a zero-day in the GoAnywhere MFT platform, allowing the ransomware gang to steal data from over 100 companies again.

However, their most significant attack of this kind was using a zero-day in the MOVEit Transfer platform that allowed them to steal data from 2,773 organizations, according to a report by Emsisoft.

At this time, it is not clear how many companies have been impacted by the Cleo data theft attacks, and BleepingComputer does not know of any companies who have confirmed being breached through the platform.