Infamous ransomware gang Clop has taken responsibility for a mass hack that has breached at least 66 companies by exploiting a bug in a popular suite of corporate file transfer tools from Cleo Software. The group’s dark web leak site has partial names of the companies it has hacked, but they haven’t responded to the gang since the hack.
The group intends to release the full names of the victims soon, likely to increase pressure on victims to pay the ransom and not have their sensitive data leaked all over the internet. Attacks exploiting flaws in Cleo’s software, specifically the Harmony, VLTrader, and LexiCom file transfer tools, have been seen since at least December 3, giving the group plenty of time to iron out kinks and send out ransom notes.
Cleo has patched the vulnerability tracked as CVE-2024-55956 and is urging customers to update as soon as possible. However, another vulnerability tracked as CVE-2024-50623, which is an unauthenticated file reading and writing issue, might also be involved in the attack. The latter was initially thought to be a bypass of the former bug. Still, it was later discovered that they have a different root cause, meaning the exploitation strategy would differ greatly for the two exploits.

There’s evidence of both vulnerabilities being exported in the wild, indicating that the attack might have involved the exploitation of a zero-day bug. Additionally, while Clop has taken responsibility, experts state that multiple groups may be involved in the hack.
Regardless, the attack is very much in line with Clop’s recent activity. While it is the latest mass hack Clop has carried out in recent years, it has targeted similar file transfer tools, including Accellion, GoAnywhere, and the infamous MOVEit hack targeting hundreds of companies globally.
In the News: Cyber-espionage campaigns VBShower and VBCloud wreak havoc