In October, Cleo fixed a vulnerability tracked as CVE-2024-50623 that allowed unrestricted file uploads and downloads, leading to remote code execution. However, cybersecurity firm Huntress discovered last week that the original patch was incomplete, and threat actors were actively exploiting a bypass to conduct data theft attacks.
The extortion gang has now announced that they are deleting data associated with past attacks from their data leak server and will only work with new companies breached in the Cleo attacks.
Earlier, in December 2024 a relatively new ransomware group called Brain Cipher claims to have stolen data from the consultancy enterprise Deloitte. Deloitte was previously a victim of the Cl0p MOVEit campaign. It’s likely that Cl0p sold their database of stolen data to scavengers like Brain Cipher to make room for new victims on their leak site.
The Cl0p ransomware gang has been active since 2019 and has specialized in targeting previously unknown vulnerabilities in secure file transfer platforms for data theft attacks.
Recommendations
Truesec assesses that Clop is one of the most sophisticated cyber extortion groups known to us. It is the only cybercrime group known to have repeatedly used zero-days in their attacks. That Clop now removes old stolen data from their leak site suggests that they expect a lot of victims.
The Clop ransomware group is known to often begin their campaigns by using vulnerabilities to install additional persistence in the form of backdoors, before beginning data theft ransom. This means that patching the vulnerability exploited by Clop isn’t enough to ensure you are safe. Any organization that uses Cleo Harmony, VLTrader, or LexiCo should search their environment for possible backdoors. In the case of Truesec SOC customers, Truesec has already conducted threat hunting for available IOC.
More technical details are available in Threat Notice 2024-70 in the Truesec Platform.
References
bleepingcomputer.com/news/security/clop-ransomware-claims-responsibility-for-cleo-data-theft-attacks/
rapid7.com/blog/post/2024/12/11/etr-modular-java-backdoor-dropped-in-cleo-exploitation-campaign
securityweek.com/deloitte-responds-after-ransomware-groups-claims-data-theft/