The Clop ransomware group, a notorious cybercriminal organization known for exploiting vulnerabilities in file-transfer software, has struck again, potentially compromising sensitive information such as financial records, personal data, and confidential business documents. This time, their target is Cleo, an enterprise software company whose products are used by businesses worldwide to manage and transfer this critical data.
This attack bears a striking resemblance to the 2023 MOVEit breach, where Clop exploited a zero-day vulnerability in the MOVEit Transfer web application to steal data from numerous organizations. In the Cleo attack, the attackers exploited a similar vulnerability in Cleo’s LexiCom, VLTrader, and Harmony products.
How the Attack Unfolded
In a concerning turn of events for businesses relying on Cleo software, the cybersecurity community first became aware of the attack in early December 2024 when Huntress Labs observed threat actors actively exploiting vulnerabilities in Cleo’s systems. The vulnerability, identified as CVE-2024-50623, is an unrestricted file upload and download flaw that could allow attackers to execute malicious code remotely. “It is plausible that Clop had prior knowledge of several vulnerabilities in the CLEO platform, enabling the group to breach and extract data from victim organizations systematically long before the vendor issued any public security advisory” 1.
While the full extent of the damage remains unclear, Rapid7, a cybersecurity firm, reported a noticeable increase in compromised endpoints among its customers. Huntress Labs initially estimated that approximately 10 businesses were affected, primarily in sectors like consumer products, food, and shipping 1.
Who is FIN11?
Mandiant Google Cloud’s head of cybercrime analysis, Kimberly Goody, has linked the Cleo attack to a group she calls FIN11 1. This group is known for its sophisticated tactics and its focus on financial gain. While the exact relationship between FIN11 and Clop remains uncertain, it is highly probable that they are connected, either as a sub-group or collaborators. Despite the similarities between this attack and the MOVEit breach, “current evidence suggests that this may not have been a smash-and-grab as we observed with the MoveIt attack” 1.
Indicators of Compromise (IOCs)
Huntress Labs has identified several indicators of compromise (IOCs) related to the Cleo attack 2. These include:
| IP | Details |
|---|---|
| 176.123.5.126 | Attacker IP embedded in encoded PowerShell |
| 5.149.249.226 | Attacker IP |
Arctic Wolf has also identified several IOCs, including IP addresses associated with C2 servers and vulnerability scanners 3.
Affected Cleo Products
The following table lists the affected and unaffected versions of Cleo products:
| Product | Affected Versions | Unaffected Versions |
|---|---|---|
| Cleo Harmony | prior to version 5.8.0.24 | 5.8.0.24 |
| Cleo VLTrader | prior to version 5.8.0.24 | 5.8.0.24 |
| Cleo LexiCom | prior to version 5.8.0.24 | 5.8.0.24 |
About MOVEit Transfer and Fortra
MOVEit Transfer is a managed file transfer (MFT) software product produced by Ipswitch, Inc., now part of Progress Software 5. It enables secure file transfer between systems, servers, and applications within and between organizations. MOVEit Transfer offers a range of deployment options, including as a managed service (MOVEit Cloud), on any Microsoft Azure server, or as on-premises software 6.
Fortra, a cybersecurity company, provides various solutions, including MFT software. One of their products, GoAnywhere MFT, was previously targeted by the Clop ransomware group 1. This attack highlights the vulnerability of file-transfer software and the need for robust security measures to protect sensitive data during transfer.
Companies and Sectors Impacted
The Clop ransomware group has a history of targeting file-transfer software providers and their customers. In addition to Cleo, they have also attacked Fortra’s GoAnywhere MFT and Accellion’s file-transfer software 1. The sectors impacted by these attacks include shipping, consumer products, and food 1. This pattern of attacks underscores the need for organizations across various sectors to prioritize the security of their file-transfer systems.
What is a Zero-Day Exploit?
A zero-day exploit is a cyberattack that takes advantage of a previously unknown vulnerability in software or hardware 7. The term “zero-day” refers to the fact that the vendor has zero days to fix the vulnerability because attackers are already exploiting it. These attacks are particularly dangerous because there are no existing defenses against them.
Conclusion
The Clop ransomware group’s attack on Cleo is a stark reminder of the ever-present threat of cybercrime, particularly the vulnerability of file-transfer software. This incident highlights a concerning trend of Clop specifically targeting this type of software, exploiting its weaknesses to gain unauthorized access to sensitive data. Organizations that rely on file-transfer software must prioritize security measures for these critical systems, including regular patching, strong access controls, and continuous monitoring. If necessary, they should consider alternative solutions that offer enhanced security features to mitigate the risk of falling victim to similar attacks.
This attack also has broader implications for the cybersecurity landscape. It emphasizes the need for increased collaboration between organizations, security providers, and researchers to identify and address vulnerabilities proactively. Sharing threat intelligence and best practices can help organizations stay ahead of emerging threats and strengthen their defenses against sophisticated attacks like those carried out by Clop. By taking a proactive and collaborative approach to cybersecurity, organizations can better protect themselves and contribute to a more secure digital environment.
— Afonso Infante (afonsoinfante.link)
Works cited
1. Clop is back to wreak havoc via vulnerable file-transfer software …, accessed December 21, 2024, https://cyberscoop.com/clop-cleo-file-transfer-software-breach-fin11/
2. Cleo Software Actively Being Exploited in the Wild CVE-2024-55956 | Huntress, accessed December 21, 2024, https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
3. Cleopatra’s Shadow: A Mass Exploitation Campaign Deploying a Java Backdoor Through Zero-Day Exploitation of Cleo MFT Software – Arctic Wolf, accessed December 21, 2024, https://arcticwolf.com/resources/blog/cleopatras-shadow-a-mass-exploitation-campaign/
4. Critical Vulnerability in Cleo Software (CVE-2024-50623) – Beazley Security, accessed December 21, 2024, https://beazley.security/alerts-advisories/critical-vulnerability-in-cleo-software-cve-2024-50623
5. MOVEit – Wikipedia, accessed December 21, 2024, https://en.wikipedia.org/wiki/MOVEit
6. www.progress.com, accessed December 21, 2024, https://www.progress.com/moveit/moveit-transfer#:~:text=MOVEit%20Transfer%20gives%20you%20the,or%20as%20on%2Dpremises%20software.
7. www.ibm.com, accessed December 21, 2024, https://www.ibm.com/think/topics/zero-day#:~:text=A%20zero%2Dday%20exploit%20is,it%20to%20access%20vulnerable%20systems.
8. What is a Zero-Day Exploit | Protecting Against 0day Vulnerabilities – Imperva, accessed December 21, 2024, https://www.imperva.com/learn/application-security/zero-day-exploit/
Leave a Reply