In a recent update on the dark web, the cybercriminal group known as Clop has claimed responsibility for hacking into 66 companies that utilize managed file-transfer software created by Cleo Communications. This group, also referred to as Cl0p, is a ransomware extortion organization believed to be based in Russia. The mass attacks targeted Harmony, VLTrader, and LexiCom MFT software developed by Cleo, a company based in Rockford, Illinois.
According to Clop, they have obtained data from numerous companies that use Cleo’s software and have threatened to release a list of these companies within 48 hours. The criminal group has already leaked the first five characters of the companies’ names and has contacted them with extortion demands. Cleo took immediate action by releasing a patch to users on December 11 after detecting signs of widespread exploitation. It was revealed that hackers were exploiting an unrestricted file upload vulnerability tracked as CVE-2024-50623. Despite a patch being issued in October, the hacking attempts continued, suggesting the vulnerability was not fully addressed.
Further analysis indicated that hackers may have also exploited a new file-write vulnerability, CVE-2024-55956, to insert a malicious host file into the targeted system. This allowed them to obtain necessary credentials and execute remote code. Cleo has advised its customers to apply the latest fix urgently to protect their systems from potential attacks.
The exact duration of the exploitation and how long the vulnerabilities have been used by attackers remain unclear. Arctic Wolf reported that the campaign began on December 7 and is still ongoing. This is not the first time Clop has targeted file transfer software using zero-day exploits. In a previous attack on MOVEit software in 2023, over 2,770 organizations and more than 95 million individuals were affected. Additionally, Clop was responsible for a large-scale attack campaign in 2023, exploiting a zero-day vulnerability in GoAnywhere MFT software and launching global attacks using zero-day flaws in the Accellion File Transfer Appliance in December 2020.
The cybersecurity landscape continues to face persistent threats from cybercriminals like Clop, highlighting the importance of staying vigilant and implementing robust security measures to protect against such malicious activities. As companies rely more on digital technologies and interconnected systems, the risk of cyberattacks increases, underscoring the need for proactive cybersecurity strategies and rapid responses to emerging threats. By staying informed about the latest cybersecurity developments and adopting best practices, organizations can mitigate risks and safeguard their sensitive data from potential breaches.