The notorious Clop ransomware gang has declared itself responsible for the recent attacks on Cleo’s file transfer software. Zero day vulnerabilities in this software allowed the hackers to steal data from multiple corporate end users.
That’s what the group tells Bleeping Computer in a statement. The attack was made possible by vulnerabilities in the Cleo-managed file transfer platforms Cleo Harmony, VLTRader, and LexiCom. These platforms use business end users to securely transfer data with their own data.
Attack path
Cleo released a patch in October earlier this year that eliminated a vulnerability, CVE-2024-50623, that enabled unlimited file uploads and downloads and could eventually lead to an RCE attack.
However, security firm Huntress recently discovered that the original patch was incomplete. This allowed the hackers to exploit a bypass to enable data theft. This bypass allowed them to upload a JAVA backdoor that allowed them to steal data, execute commands, and gain further access to the attacked corporate network.
Notorious MOVEit attack
In the response, Clop’s hackers indicate they are behind the hacks. In addition, they indicated that they wanted to extort only for stolen data from new victims. Data from previous victims is said to have been deleted, with the same being the case for data from government agencies and health care.
Clop more often targets file transfer software. It is believed to be responsible for the highly notorious attack on the MOVEit Transfer platform, which allegedly captured data from some 2,773 companies and organizations.
Premium of $10 million
Meanwhile, a new vulnerability in the Cleo file transfer software and patch CVE-2024-50623 has been confirmed by U.S. cybersecurity regulator CISA. Cleo has not yet confirmed the vulnerability.
The U.S. government strongly suspects that the Clop ransomware gang has connections to foreign state actors. To prove this, the U.S. has set a $10 million bounty.