LOADING

Type to search

Clop Ransomware Extortion Targets Cleo Data Theft Victims

News

Clop Ransomware Extortion Targets Cleo Data Theft Victims

Share
Clop ransomware announcement targeting Cleo data theft victims, detailing the ransom demand timeline of 48 hours, partial company names listed on the leak site, and warnings of full disclosure.

Clop ransomware, infamous for exploiting critical vulnerabilities in file transfer software, has launched an extortion campaign against 66 companies affected by a data theft incident linked to Cleo’s software. The group has given these organizations 48 hours to initiate ransom negotiations, threatening to reveal their identities and publicly leak sensitive data. This marks another in a series of high-profile campaigns by Clop, showcasing its expertise in exploiting zero-day vulnerabilities in enterprise-level solutions.

Table of Contents

The ransomware group targeted Cleo’s Harmony, VLTransfer, and LexiCom software by exploiting newly discovered vulnerabilities. Cleo has since released security updates to patch these flaws. However, the breach reflects Clop’s well-documented pattern of exploiting file transfer software vulnerabilities to steal data and extort organizations. This campaign follows similar attacks on Accellion FTA, GoAnywhere MFT, and MOVEit Transfer platforms, during which the group leveraged zero-day vulnerabilities to infiltrate systems and exfiltrate sensitive data.

The latest attack revolves around a zero-day flaw, now tracked as CVE-2024-50623, which allows remote attackers to perform unrestricted file uploads and downloads, leading to remote code execution. A fix has been released for Cleo Harmony, VLTrader, and LexiCom version 5.8.0.21. However, Cleo’s private advisory warned that hackers were actively exploiting the flaw to open reverse shells on compromised networks.

Huntress, a cybersecurity firm, publicly disclosed earlier this month that the vulnerability was being actively exploited and flagged that the vendor’s fix could be bypassed. The firm also released a proof-of-concept (PoC) exploit to demonstrate their findings. Days later, Clop ransomware confirmed to BleepingComputer that it was behind the exploitation of CVE-2024-50623 and declared that data from previous attacks would now be deleted as it focuses on this new extortion campaign.

Macnica researcher Yutaka Sejiyama revealed that it is possible to identify some victims by cross-referencing the incomplete company names published on Clop’s data leak site with owners of Cleo servers exposed on the public web. While the total number of compromised companies remains unknown, Cleo claims its software is used by over 4,000 organizations worldwide.

Sources:

Author

  • Maya Pillai is a tech writer with 20+ years of experience curating engaging content. She can translate complex ideas into clear, concise information for all audiences.

    View all posts
Tags:
Maya Pillai

Maya Pillai is a tech writer with 20+ years of experience curating engaging content. She can translate complex ideas into clear, concise information for all audiences.

  • 1

Leave a Comment

Your email address will not be published. Required fields are marked *