The notorious Clop ransomware gang has admitted responsibility for the recent wave of data theft attacks targeting Cleo’s managed file transfer systems.
This confession was made to BleepingComputer, where Clop disclosed they’ve been exploiting zero-day vulnerabilities to infiltrate corporate networks and pilfer sensitive data.
Cleo, known for their managed file transfer platforms like Cleo Harmony, VLTrader, and LexiCom, had previously addressed a security flaw labeled CVE-2024-50623 back in October. This patch was supposed to prevent unauthorized file uploads and downloads, which could lead to remote code execution. However, cybersecurity experts at Huntress revealed last week that this patch didn’t fully resolve the issue, as attackers were still finding ways to bypass the fix and continue their data theft operations.
During these attacks, the culprits have been deploying a JAVA backdoor, enabling them to not only steal data but also execute commands and deepen their access within the compromised networks.
On Friday, the Cybersecurity and Infrastructure Security Agency (CISA) confirmed the active exploitation of this critical vulnerability in Cleo’s software for ransomware purposes. Interestingly, Cleo has not publicly acknowledged that the October patch was insufficient to thwart these attacks.
Initially, there was a misconception that a new group called Termite was behind these breaches. But after BleepingComputer reached out to Clop on Tuesday, the group clarified that they were indeed the masterminds behind both the recent Cleo vulnerability exploit and the original CVE-2024-50623 flaw they had previously tackled.
Clop stated, “As for CLEO, it was our project (including the previous cleo) – which was successfully completed. All the information that we store, when working with it, we observe all security measures. If the data is government services, institutions, medicine, then we will immediately delete this data without hesitation (let me remind you about the last time when it was with moveit – all government data, medicine, clinics, data of scientific research at the state level were deleted), we comply with our regulations.”
In a surprising twist, Clop has announced they are clearing out data from past victims on their leak site, focusing instead on new companies hit by the Cleo attacks. They’ve left a message on their CL0P^_- LEAKS site saying, “Due to recent events (attack of CLEO) all links to data of all companies will be disabled and data will be permanently deleted from servers. We will work only with new companies. Happy New Year © CL0P^_ all of the victims from their data leak site.”
Despite these revelations, when BleepingComputer sought more details from Clop about the attack’s timeline, the number of affected companies, and any connections with Termite, they were met with silence. Similarly, Cleo has not responded to inquiries regarding Clop’s involvement in these security breaches.
