Clop Ransomware Claims Responsibility for Cleo Data Theft Attacks
Summary:
The Clop ransomware gang has claimed responsibility for a series of recent data-theft attacks targeting Cleo’s managed file transfer platforms—Harmony, VLTrader, and LexiCom—leveraging vulnerabilities to breach corporate networks and steal sensitive information. In October 2024, Cleo addressed a critical vulnerability (CVE-2024-50623) that enabled unrestricted file uploads and downloads, potentially leading to remote code execution. However, cybersecurity firm Huntress later discovered that Cleo’s original patch was incomplete, allowing threat actors to bypass it. These attackers exploited the vulnerability by uploading a Java-based backdoor, which enabled them to exfiltrate data, execute arbitrary commands, and escalate their access within compromised networks.
While the initial attacks were attributed to a new ransomware group called Termite, subsequent investigations tied the activity to Clop, a ransomware gang with a history of targeting file transfer platforms. Clop confirmed to BleepingComputer that they orchestrated both the exploitation of the original vulnerability and the subsequent bypass discovered by Huntress. In a statement, Clop asserted that they had deleted data from previous attacks involving government services, healthcare, and state-level research, claiming adherence to internal regulations. The group also announced they had permanently removed links to stolen data from their leak site and would focus exclusively on breaches involving new companies affected in the Cleo attacks.
Security Officer Comments:
Clop has a history of targeting secure file transfer platforms, leveraging zero-day vulnerabilities for high-profile data-theft campaigns. Notable incidents include the 2020 Accellion FTA breach, impacting nearly 100 organizations; the 2021 exploitation of SolarWinds Serv-U software; and the 2023 GoAnywhere MFT breach, which affected over 100 companies. Their most significant campaign to date exploited a zero-day in the MOVEit Transfer platform, resulting in data theft from 2,773 organizations, according to Emsisoft.
The full scope of the Cleo attacks is still unclear, with no publicly confirmed victims identified to date. Despite this, Clop's activity aligns with their established pattern of using sophisticated exploits to breach secure data transfer systems.
Suggested Corrections:
Advisory:
https://support.cleo.com/hc/en-us/a...5-Cleo-Product-Security-Update-CVE-2024-55956
Organizations utilizing Cleo’s managed file transfer platforms—Harmony, VLTrader, and LexiCom should upgrade to the latest version 5.8.0.24.
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.
Link(s):
https://www.bleepingcomputer.com/ne...s-responsibility-for-cleo-data-theft-attacks/
The Clop ransomware gang has claimed responsibility for a series of recent data-theft attacks targeting Cleo’s managed file transfer platforms—Harmony, VLTrader, and LexiCom—leveraging vulnerabilities to breach corporate networks and steal sensitive information. In October 2024, Cleo addressed a critical vulnerability (CVE-2024-50623) that enabled unrestricted file uploads and downloads, potentially leading to remote code execution. However, cybersecurity firm Huntress later discovered that Cleo’s original patch was incomplete, allowing threat actors to bypass it. These attackers exploited the vulnerability by uploading a Java-based backdoor, which enabled them to exfiltrate data, execute arbitrary commands, and escalate their access within compromised networks.
While the initial attacks were attributed to a new ransomware group called Termite, subsequent investigations tied the activity to Clop, a ransomware gang with a history of targeting file transfer platforms. Clop confirmed to BleepingComputer that they orchestrated both the exploitation of the original vulnerability and the subsequent bypass discovered by Huntress. In a statement, Clop asserted that they had deleted data from previous attacks involving government services, healthcare, and state-level research, claiming adherence to internal regulations. The group also announced they had permanently removed links to stolen data from their leak site and would focus exclusively on breaches involving new companies affected in the Cleo attacks.
Security Officer Comments:
Clop has a history of targeting secure file transfer platforms, leveraging zero-day vulnerabilities for high-profile data-theft campaigns. Notable incidents include the 2020 Accellion FTA breach, impacting nearly 100 organizations; the 2021 exploitation of SolarWinds Serv-U software; and the 2023 GoAnywhere MFT breach, which affected over 100 companies. Their most significant campaign to date exploited a zero-day in the MOVEit Transfer platform, resulting in data theft from 2,773 organizations, according to Emsisoft.
The full scope of the Cleo attacks is still unclear, with no publicly confirmed victims identified to date. Despite this, Clop's activity aligns with their established pattern of using sophisticated exploits to breach secure data transfer systems.
Suggested Corrections:
Advisory:
https://support.cleo.com/hc/en-us/a...5-Cleo-Product-Security-Update-CVE-2024-55956
Organizations utilizing Cleo’s managed file transfer platforms—Harmony, VLTrader, and LexiCom should upgrade to the latest version 5.8.0.24.
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.
Link(s):
https://www.bleepingcomputer.com/ne...s-responsibility-for-cleo-data-theft-attacks/