Cybercriminals Threaten to Expose 66 Companies in Mass Hacking Campaign
December 24, 2024
The notorious Clop ransomware gang, infamous for its high-profile cyber extortion campaigns, has issued new threats to organizations impacted by its recent exploitation of vulnerabilities in Cleo Communications' managed file transfer (MFT) software. The group claims to have compromised at least 66 companies and is threatening to disclose their identities on its dark web leak site.
A Sophisticated Attack on Cleo's MFT Software
Clop, also known as Cl0p, is believed to operate from Russia and has a long history of leveraging zero-day vulnerabilities in file transfer software for large-scale data breaches. The gang took responsibility for exploiting Cleo’s Harmony, VLTrader, and LexiCom MFT solutions in a campaign that reportedly began on December 7, 2024.
The attack leveraged an unrestricted file upload vulnerability (CVE-2024-50623), initially patched in October. However, subsequent analysis revealed that this patch failed to fully mitigate the threat. According to cybersecurity firm Rapid7, the attackers likely combined this flaw with another vulnerability (CVE-2024-55956) to gain full control over targeted systems. This allowed the malicious actors to upload hostile files, retrieve credentials, and execute remote code.
Cleo released an emergency patch on December 11 and urged all customers to apply the fix immediately to prevent further exploitation.
Clop’s Extortion Tactics Escalate
In a December 24 update, Clop announced plans to release the names of the compromised organizations within 48 hours. The group has already begun contacting victims with ransom demands, publishing the first five characters of their names as a warning. Such extortion tactics are part of Clop's standard playbook, aimed at pressuring organizations into paying hefty ransoms to prevent data leaks.
A Pattern of Exploiting File Transfer Vulnerabilities
Clop’s recent activity continues its established modus operandi of targeting file transfer software. Earlier campaigns included:
- MOVEit Attack (2023): Clop exploited a zero-day vulnerability in MOVEit software over Memorial Day weekend, impacting over 2,770 organizations and exposing sensitive data of more than 95 million individuals.
- Fortra's GoAnywhere MFT (2023): The gang targeted another zero-day flaw in Fortra's widely used MFT software, compromising numerous organizations.
- Accellion FTA Breach (2020): Clop exploited vulnerabilities in the Accellion File Transfer Appliance, resulting in widespread global breaches.
The group's ability to orchestrate complex attacks on widely used software highlights the ongoing risks associated with third-party applications.
Urgent Security Recommendations
Organizations using Cleo's MFT solutions should prioritize applying the latest patches and auditing their systems for signs of compromise. Cleo has strongly advised all users to implement the December 11 update without delay. Additionally, organizations should adopt robust security measures, including regular vulnerability assessments, network monitoring, and employee training to mitigate risks from such sophisticated threats.
A Wake-Up Call for Cybersecurity
Clop's relentless targeting of file transfer software underscores the importance of proactive security in managing third-party software dependencies. The recent breach serves as a stark reminder for businesses to remain vigilant, maintain updated software, and have incident response plans in place.
As the cyber threat landscape continues to evolve, Clop’s campaign against Cleo users is yet another example of the devastating potential of ransomware groups. The coming days will reveal whether the affected companies can thwart Clop’s extortion demands or face the fallout of a large-scale data breach.
0 Comments