- Hackers were recently found to be abusing a flaw in multiple Cleo software tools.
- The Cl0p ransomware gang claimed responsibility for the attack
- The group has begun listing victims on its website.
Prolific ransomware threat actor Cl0p has added partial names of some of the companies that were successfully attacked for bugs in the Cleo software. This is probably part of his pressure tactic, as he tries to extort money from his victims.
In early December of this year, news emerged that several managed file transfer tools from the same developer called Cleo Software were being abused to launch attacks and possibly steal data. At the time, cybersecurity researchers at Huntress claimed that LexiCom, VLTransfer, and Harmony were vulnerable to CVE-2024-50623, an unrestricted file upload and download vulnerability that could lead to remote code execution.
Cleo reportedly released a patch in October that didn’t completely fix the issue, leaving the door open to hackers. Huntress alone said she observed at least 24 victims. At the time, investigators were unable to attribute the attack to any specific group as the evidence was inconclusive, but it wasn’t long before Cl0p claimed responsibility.
List of victims
For those who don’t know, Cl0p is a threat actor best known for exploiting flaws in MOVEit, another managed file transfer tool. This attack resulted in thousands of organizations being compromised and the confidential data of millions of people stolen.
Now, TechCrunch reported that the group took credit for stealing data from at least 66 companies as it listed their partial names on its website. The gang reportedly said they would soon reveal the full names of their victims.
“So far, victim organizations have included several consumer products companies, logistics and shipping organizations, and food suppliers,” Huntress said at the time.
Shortly after the Huntress announcement, the US Cybersecurity and Infrastructure Security Agency (CISA) added the Cleo bug to its catalog of known exploited vulnerabilities (KEV), confirming the findings and giving federal agencies three weeks to repair or stop using the tools completely.
Through TechCrunch
