The notorious Clop ransomware group has taken credit for targeting managed file transfer (MFT) software developed by Cleo Communications. These attacks have put organizations relying on Cleo’s Harmony, VLTrader, and LexiCom software on high alert, as these tools are integral to secure file transfers for many enterprises.
A New Wave of Exploits
Cybersecurity firms report a wave of attacks exploiting vulnerabilities in Cleo's MFT products. On December 15, Clop, also known as Cl0p, publicly announced its involvement, stating that all previously stolen data from their Cleo attacks would be permanently deleted. The group also declared they would only target new victims moving forward.
This isn’t the first time Clop has orchestrated a large-scale supply chain attack. In the past, they exploited vulnerabilities in file transfer platforms like MOVEit and Accellion FTA. However, researchers are still analyzing evidence to determine whether the Cleo incidents show overlaps with Clop’s earlier campaigns.
A History of Supply Chain Exploitation
Clop's latest statement about deleting previously stolen data alludes to their high-profile MOVEit campaign in 2023, which compromised data from over 2,770 organizations and exposed sensitive information of more than 95 million individuals. However, security experts caution against rushing to conclusions regarding the Cleo attacks, as other groups, such as Termite, may also be involved.
Termite is believed to possess a zero-day exploit for Cleo’s software. The potential collaboration—or independent exploitation—by multiple groups remains under investigation.
“Although Cl0p has claimed responsibility, this does not constitute definitive proof of their involvement,” notes Christiaan Beek, senior director of threat analytics at Rapid7. “We need more indicators and evidence to confirm whether Cl0p, Termite, or both are behind these exploits.”
Exploiting Cleo Vulnerabilities
The attacks leverage CVE-2024-50623, an unrestricted file upload vulnerability in Cleo’s Harmony, VLTrader, and LexiCom products. This vulnerability allows attackers to remotely execute code with elevated privileges.
Last week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-50623 to its catalog of known exploited vulnerabilities, linking it to active ransomware campaigns. Researchers suggest attackers may also be combining this flaw with another vulnerability, CVE-2024-55956, to gain unauthorized access and execute malicious commands.
Patching Efforts and Industry Response
Cleo has released multiple patches to address these vulnerabilities. In October, the company issued a fix for CVE-2024-50623, followed by an additional patch on December 13 for CVE-2024-55956. The latest patch (version 5.8.0.24) resolves issues allowing unauthorized execution of arbitrary Bash or PowerShell commands via default settings.
Security experts have praised the swift and transparent response from the cybersecurity community. Kevin Beaumont, a prominent British cybersecurity expert, highlighted the collaborative effort to mitigate the attacks. “Roughly two-thirds of vulnerable servers have been patched or taken offline since mass exploitation began,” Beaumont said. “The openness and transparency of organizations like Huntress have played a key role in containing the threat.”
Fallout and Ongoing Investigation
The Cleo campaign differs from Clop’s previous mass exploits, such as the MOVEit attacks, in terms of scale and impact. Thus far, no significant follow-up ransomware activity has been detected among victims, which experts attribute to rapid industry action.
However, questions remain about how long the vulnerabilities were exploited prior to the campaign. Cleo’s October advisory hinted that earlier attacks may have gone unnoticed, raising concerns about potential long-term exposure.
“While Cl0p has claimed credit for the recent incidents, the exact scope and duration of these attacks remain unclear,” said Caitlin Condin, director of vulnerability intelligence at Rapid7. “Understanding who exploited the earlier flaws is crucial to preventing future incidents.”
Lessons for the Future
The Cleo incident underscores the importance of proactive vulnerability management and collaborative cybersecurity efforts. Early disclosure by security firms and transparency from Cleo helped contain the fallout and protect organizations from further damage.
As the investigation continues, the Clop ransomware group’s involvement remains under scrutiny. Regardless of attribution, this incident serves as a reminder of the persistent threats posed by supply chain vulnerabilities and the critical need for industry vigilance.
0 Comments