The Clop cybercriminal group is threatening to make public the companies swept up by its mass hacking of managed file-transfer software built by Cleo Communications.
See Also: Live Webinar | North Korea’s Secret IT Army and How to Combat It
Clop, aka Cl0p, a ransomware extortion organization believed to be based in Russia, took responsibility earlier this month for mass attacks targeting Harmony, VLTrader and LexiCom MFT software built by Rockford, Illinois-based Cleo (see: Clop Ransomware Takes Responsibility for Cleo Mass Exploits).
In a Dec. 24 update to its dark web leak site, Clop asserted it has “data of many companies who use Cleo” and that it will publish within 48 hours a list of at least 66 companies it hacked. The criminal gang said it is contacting the companies with extortion instructions after already publishing the first five characters in their names.
Cleo hurried a patch out to users on Dec. 11 following signs of mass exploitation. Hackers appeared to be exploiting an unrestricted file upload vulnerability in the managed file transfer tracked as CVE-2024-50623, for which a patch published in October apparently did not fully prevent hacks. Analysis by Rapid7 suggested hackers might have used a new file-write vulnerability, CVE-2024-55956, for writing a malicious host file to the targeted system and then exploiting CVE-2024-50623 to obtain needed credentials and force the system to run the malicious host file, which allows them to remotely execute code.
Cleo has told customers it “strongly advises” them to immediately apply the latest fix.
How long attackers have been exploiting one or both flaws remains unclear. “The campaign began on Dec. 7, and is ongoing as of the publication of this article,” Arctic Wolf said in a Thursday blog post.
Clop is no stranger to mass zero-day exploitation of file transfer software. The group launched a carefully prepared attack against MOVEit software that unfolded over the U.S. Memorial Day weekend in 2023. The count of organizations affected directly or indirectly by the MOVEit incident stands at over 2,770, with data pertaining to more than 95 million individuals exposed, calculates security firm Emsisoft.
Earlier in 2023, Clop took responsibility for a large-scale attack campaign that exploited a zero-day vulnerability to steal data from customers of Fortra’s widely used managed file transfer software GoAnywhere MFT. In December 2020, it targeted zero-day flaws in the Accellion File Transfer Appliance in another global attack campaign.
