Summary: The Clop ransomware gang has begun extorting victims of its Cleo data theft attacks, giving 66 companies a 48-hour ultimatum to respond to ransom demands. This incident highlights the gang’s exploitation of a zero-day vulnerability in Cleo products to breach networks and steal sensitive data.
Threat Actor: Clop Ransomware Gang | Clop Ransomware Gang
Victim: Various Companies | Companies
Key Point :
- Clop has contacted 66 companies directly, threatening to disclose their full names if they do not engage within 48 hours.
- The gang exploited a zero-day vulnerability (CVE-2024-50623) in Cleo products to facilitate data theft.
- A fix is available for the affected Cleo software, but researchers warn that the vulnerability could be bypassed.
- Clop claims to have deleted data from previous attacks as it shifts focus to new extortion efforts.
- The number of compromised companies remains unclear, but Cleo’s software is used by over 4,000 organizations globally.
The Clop ransomware gang started to extort victims of its Cleo data theft attacks and announced on its dark web portal that 66 companies have 48 hours to respond to the demands.
The cybercriminals announced that they are contacting those companies directly to provide links to a secure chat channel for conducting ransom payment negotiations. They also provided email addresses where victims can reach out themselves.
In the notification on their leak site, Clop lists 66 partial names of companies that did not engage the hackers for negotiations. If these companies continue to ignore, Clop threatens to disclose their full name in 48 hours.
The hackers note that the list represents only victims that have been contacted but did not respond to the message, suggesting that the list of affected companies may be larger.
Clop achieves another major breach
The Cleo data theft attack represents another major success for Clop, who leveraged leveraging a zero-day vulnerability in Cleo LexiCom, VLTransfer, and Harmony products to steal data from the networks of breached companies.
In the past, Clop ransomware accessed company networks by exploiting zero-day vulnerabilities in Accellion FTA secure file transfer platform, GoAnywhere MFT platform, and MOVEit Transfer platform.
The gang is also responsible for another hacking spree targeting companies running the SolarWinds Serv-U FTP software.
The zero-day flaw exploited this time is now tracked as CVE-2024-50623 and it allows a remote attacker to perform unrestricted file uploads and downloads, leading to remote code execution.
A fix is available for Cleo Harmony, VLTrader, and LexiCom version 5.8.0.21 and the vendor warned in a private advisory that hackers were exploiting it to open reverse shells on compromised networks.
Earlier this month, Huntress publicly disclosed that the vulnerability was actively exploited and sounded the alarm that the vendor’s fix could be bypassed. The researchers also provided a proof-of-concept (PoC) exploit to demonstrate their findings.
A few days later, Clop ransomware confirmed to BleepingComputer that it was responsible for exploiting CVE-2024-50623.
The infamous ransomware group declared that data from previous attacks will now be deleted from its platform as it focuses on the new extortion round.
In an email to BleepingComputer, Macnica researcher Yutaka Sejiyama said that even with the incomplete company names that Clop published on its data leak site, it is possible to identify some of the victims by simply cross checking the hacker’s hints with owners of Cleo servers exposed on the public web.
At this time, it is unknown how many companies have been compromised by Clop’s latest attack wave, but Cleo claims that its software is used by more than 4,000 organizations worldwide.