Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Ransomware

Cl0p Ransomware Group to Name Over 60 Victims of Cleo Attack

The Cl0p ransomware group has confirmed that Blue Yonder was hit in the Cleo attack and the hackers are preparing to name over 60 others.

Cleo file transfer software attack

The notorious Cl0p ransomware group will soon name more than 60 organizations that were hacked recently through the exploitation of vulnerabilities in file transfer products from enterprise software developer Cleo.

Cl0p took credit for the Cleo attacks in mid-December, telling SecurityWeek at the time that they had hit “quite a lot” of targets as part of the campaign.

The ransomware gang has now published an announcement on its Tor-based website, telling victims that they are being contacted and provided access to a secret chat, as well as proof that data has been stolen from their systems.

Only one victim has been named to date: supply chain management software provider Blue Yonder. More than 60 other partial company names have been listed on Cl0p’s website and their full name will be revealed on December 30, unless they pay a ransom. 

According to the cybercriminals, these victims have so far ignored them and they are now being given a last chance.

There has been strong suspicion that the Blue Yonder attack, which hit Starbucks and some major grocery store chains, was carried out through Cleo exploitation. 

However, a new ransomware group named Termite has taken credit for the Blue Yonder attack and there has also been strong suspicion that Termite was behind the Cleo attacks. All this reinforces theories about a connection between Cl0p and Termite. 

Cl0p’s new post suggests that Blue Yonder has been ignoring communication attempts from the cybercriminals. 

The Cleo attacks have involved exploitation of two vulnerabilities affecting the Harmony, VLTrader, and LexiCom file transfer tools. Harmony, VLTrader and LexiCom versions 5.8.0.24 patch the vulnerabilities, which are tracked as CVE-2024-50623 and CVE-2024-55956.

Advertisement. Scroll to continue reading.

The vulnerabilities allow unauthenticated attackers to steal files from the targeted system, and at least CVE-2024-55956 appears to have been exploited as a zero-day. Attacks exploiting the flaws have been seen since December 3.     

It’s possible that other threat groups have been exploiting the Cleo vulnerabilities as well since their existence came to light. 

Cleo has more than 4,000 customers and there appear to be hundreds of internet-exposed instances of its file transfer products.

Cl0p was also responsible for the MOVEit campaign, in which the group exploited a zero-day in the MOVEit file transfer software to steal information from thousands of organizations.     

Related: Undocumented DrayTek Vulnerabilities Exploited to Hack Hundreds of Orgs

Related: CISA Urges Immediate Patching of Exploited BeyondTrust Vulnerability

Related: CISA Warns of Exploited Adobe ColdFusion, Windows Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.