The Clop ransomware group has reportedly taken responsibility for exploiting vulnerabilities in Cleo’s managed file transfer applications, confirming a series of attacks that cybersecurity firms had been tracking. The targeted platforms – Cleo Harmony, VLTrader and LexiCom – are widely used by businesses to facilitate secure file transfers. This news, which was broken by Bleeping Computer, follows earlier speculation linking the breaches to the Termite ransomware group, which recently attacked Blue Yonder.
The Clop gang told the cybersecurity publication that the operation exploited a zero-day vulnerability in Cleo’s systems. “As for CLEO, it was our project (including the previous cleo) – which was successfully completed,” the ransomware group claimed. “All the information that we store, when working with it, we observe all security measures. If the data is government services, institutions, medicine, then we will immediately delete this data without hesitation.”
Cleo initially addressed vulnerabilities in its file transfer tools with an update released in October (version 5.8.0.21). Despite this, cybersecurity firms Huntress and Rapid7 reported active exploitation of the flaw by 9 December. Huntress investigators found that attackers used the vulnerability to install a Java-based backdoor, enabling remote command execution, data theft, and further network infiltration.
Rapid7’s Managed Detection and Response team observed confirmed incidents of exploitation by 10 December. Attackers reportedly engaged in reconnaissance and post-exploitation activities in affected environments. These findings were corroborated by the US Cybersecurity and Infrastructure Security Agency (CISA), which verified that Cleo’s vulnerabilities were being exploited in ransomware attacks.
Although Cleo had initially patched the vulnerabilities associated with CVE-2024-50623, the earlier update proved insufficient. In response to the ongoing attacks, Cleo released another critical update on 13 December (version 5.8.0.24). The new patch introduced enhanced exploit detection, automatic removal of malicious files at startup, and improved logging features. Customers were strongly advised to apply the update immediately.
Clop’s history of high-profile exploits
The Clop ransomware group, believed to be affiliated with the notorious hacking collective TA505, has gained notoriety for its relentless attacks on file transfer platforms to exfiltrate sensitive data. Since emerging, Clop has been behind some of the most significant cyberattacks in recent years, causing widespread disruption across organisations globally.
In 2023, Clop escalated its operations by exploiting zero-day vulnerabilities in high-profile platforms like MOVEit Transfer and GoAnywhere MFT. These attacks, which affected thousands of businesses worldwide, showcased the group’s ability to target critical infrastructure and exploit security gaps in widely used systems. However, Clop’s most extensive breach arose from its exploitation of vulnerabilities in MOVEit Transfer. Cybersecurity firm Emsisoft estimates that this breach impacted a staggering 2,773 organisations, underscoring the scale and devastating consequences of the group’s operations.
Read more: Cleo releases critical patch for zero-day vulnerability amid active exploitation
