- At the time of this publication, Cleo’s Lexicom, VLTransfer, and Harmony contain a bug that was revealed in October 2024.
- It was first observed being exploited by threat actors in December 2024.
- The Clop ransomware group has claimed 59 victims on its leak site, although some question any intrusion.
Clop, the Russian state-linked ransomware group, has claimed to have hacked 59 companies after exploiting a known bug in several file transfer applications developed by software company Cleo.
The flaw, CVE-2024-50623, affects Cleo’s LexiCom, VLTransfer, and Harmony software, inadvertently allows remote code execution, and was first disclosed on October 30, 2024. Clop later published the list of victims on their dark website, although many are denying that any infringement has occurred.
Clop claims to have issued intrusion notices to its victims, including Cleo herself, on its own website, but also that the affected companies are refusing to submit to ransom demands.
Impact of the Cleo RCE bug
Przemyslaw Jedrysik, a spokesman for German manufacturer Covestro, was one of the few willing to reveal the extent of the intrusion to TechCrunch.
It revealed Clop’s unauthorized access to a US logistics server, but that it has since “taken steps to ensure system integrity, improve security monitoring, and proactively notify customers.” He also stated that the information contained on this server was not sensitive in nature.
However, spokespeople for several companies, including car rental company Hertz and Australian logistics company Linfox, explicitly denied the intrusions in statements to TechCrunch.
Clop is also listed as a victim, software supply chain company Blue Yonder, although, at the time of this publication, it has not issued any cybersecurity incident updates since December 12, 2024. However, a spokesperson said in A statement to TechCrunch that Blue Yonder uses Cleo software and was investigating possible unauthorized access to its servers.
The group claims it will reveal more about its victims in this attack on January 21, 2025, although the true scale of the attack is still unclear.
