Clop ransomware gang confirms responsibility for Cleo data theft attack

The Clop ransomware gang has claimed responsibility for the recent data-theft attacks targeting Cleo, a developer of managed file transfer platforms, marking another chapter in their history of exploiting zero-day vulnerabilities for large-scale cybercrime.

 

Cleo’s platforms—Harmony, VLTrader, and LexiCom—are widely used by enterprises to exchange critical files securely with business partners and customers. In October, Cleo addressed a vulnerability, tracked as CVE-2024-50623, that enabled unrestricted file uploads and downloads, which could lead to remote code execution. However, cybersecurity firm Huntress later identified that the patch provided by Cleo was incomplete, leaving the door open for attackers to exploit a bypass.

 

By exploiting this flaw, threat actors deployed a Java-based backdoor, granting them unauthorized access to steal data, execute malicious commands, and penetrate further into corporate networks. This week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed that this vulnerability had been actively exploited in ransomware attacks, underscoring the gravity of the situation.

 

While initial reports suggested that a relatively unknown group, Termite, was behind the attacks, further investigation revealed Clop’s involvement. On Tuesday, Clop confirmed to BleepingComputer that they orchestrated both the exploitation of the original CVE-2024-50623 vulnerability and the subsequent bypass detected by Huntress.

 

In a statement, Clop said: “As for CLEO, it was our project... we observe all security measures. If the data is government services, institutions, [or] medicine, then we will immediately delete this data without hesitation.”

 

The ransomware group, which operates the Cl0p^_- LEAKS extortion site, announced that they are deleting data from previous breaches linked to Cleo and will only engage with newly compromised companies. A message on their site reads: “Due to recent events (attack of CLEO), all links to data of all companies will be disabled, and data will be permanently deleted from servers. We will work only with new companies.”

 

Despite these claims, questions about the attacks’ timeline, scope, and affiliations remain unanswered. Clop did not respond to inquiries about the number of affected companies or their connection to the Termite ransomware gang.