The Clop ransomware gang has confirmed to BleepingComputer that they’re behind the latest Cleo data-theft assaults, using zero-day exploits to breach company networks and steal knowledge.
Cleo is the developer of the managed file switch platforms Cleo Concord, VLTrader, and LexiCom, which corporations use to securely alternate recordsdata between their enterprise companions and prospects.
In October, Cleo fastened a vulnerability tracked as CVE-2024-50623 that allowed unrestricted file uploads and downloads, resulting in distant code execution.
Nonetheless, cybersecurity agency Huntress found final week that the unique patch was incomplete and menace actors have been actively exploiting a bypass to conduct knowledge theft assaults.
Whereas exploiting this vulnerability, the menace actors have been importing a JAVA backdoor that allowed the attackers to steal knowledge, execute instructions, and achieve additional entry to the compromised community.
On Friday, ​CISA confirmed that the crucial CVE-2024-50623 safety vulnerability in Cleo Concord, VLTrader, and LexiCom file switch software program has been exploited in ransomware assaults. Nonetheless, Cleo by no means publicly disclosed that the unique flaw they tried to repair in October was exploited.
Clop claims duty for Cleo knowledge theft assaults
It was beforehand thought that the Cleo assaults have been performed by a brand new ransomware gang named Termite. Nonetheless, the Cleo knowledge theft assaults tracked extra carefully to earlier assaults performed by the Clop ransomware gang.
After contacting Clop on Tuesday, the ransomware gang confirmed to BleepingComputer that they’re behind the latest exploitation of the Cleo vulnerability detected by Huntress in addition to the exploitation of the unique CVE-2024-50623 flaw fastened in October.
“As for CLEO, it was our venture (together with the earlier cleo) – which was efficiently accomplished.
All the knowledge that we retailer, when working with it, we observe all safety measures. If the info is authorities providers, establishments, drugs, then we are going to instantly delete this knowledge with out hesitation (let me remind you in regards to the final time when it was with moveit – all authorities knowledge, drugs, clinics, knowledge of scientific analysis on the state stage have been deleted), we adjust to our laws.
with love © CL0P^_”
âť– Clop informed BleepingComputer
The extortion gang has now introduced that they’re deleting knowledge related to previous assaults from their knowledge leak server and can solely work with new corporations breached within the Cleo assaults.
“Expensive corporations, Resulting from latest occasions (assault of CLEO) all hyperlinks to knowledge of all corporations can be disabled and knowledge can be completely deleted from servers. We are going to work solely with new corporations,” reads a brand new message on the gang’s CL0P^_- LEAKS extortion website.
“Glad New 12 months © CL0P^_ all the victims from their knowledge leak website.”
Supply: BleepingComputer
BleepingComputer requested Clop when the assaults started, what number of corporations have been impacted, and if Clop was affiliated with the Termite ransomware gang, however didn’t obtain a response to those questions.
BleepingComputer additionally contacted Cleo on Friday to substantiate if Clop was behind the exploitation of the vulnerabilities however didn’t obtain a response.
Specializing in exploit file switch platforms
The Clop ransomware gang, aka TA505 and Cl0p, launched in March 2019, when it first started focusing on the enterprise utilizing a variant of the CryptoMix ransomware.
Like different ransomware gangs, Clop breached company networks and slowly unfold laterally by means of its techniques whereas stealing knowledge and paperwork. Once they have harvested every part of worth, they deployed ransomware on the community to encrypt its units.
Nonetheless, since 2020, the ransomware gang has specialised in focusing on beforehand unknown vulnerabilities in safe file switch platforms for knowledge theft assaults.
In December 2020, Clop exploited a zero-day within the Accellion FTA safe file switch platform, which impacted practically 100 organizations.
Then in 2021, the ransomware gang exploited a zero-day in SolarWinds Serv-U FTP software program to steal knowledge and breach networks.
In 2023, Clop exploited a zero-day within the GoAnywhere MFT platform, permitting the ransomware gang to steal knowledge from over 100 corporations once more.
Nonetheless, their most vital assault of this type was utilizing a zero-day within the MOVEit Switch platform that allowed them to steal knowledge from 2,773 organizations, in line with a report by Emsisoft.
Presently, it’s not clear what number of corporations have been impacted by the Cleo knowledge theft assaults, and BleepingComputer doesn’t know of any corporations who’ve confirmed being breached by means of the platform.
The U.S. State Division’s Rewards for Justice program at the moment has a $10 million bounty for info linking the Clop ransomware assaults to a international authorities.
