Clop Ransomware Gang Exposes Dozens of Victims in Cleo Mass-Hack: Firms Challenge Breach Claims
The notorious Clop ransomware gang has recently claimed responsibility for hacking numerous corporate entities by exploiting a vulnerability in popular file transfer solutions developed by the U.S.-based software company Cleo. This alarming trend highlights the increasing risks associated with enterprise file transfer tools.
Clop Gang Targets Cleo Software Vulnerabilities
In a recent post on its dark web leak site, the Clop gang listed a staggering 59 organizations it claims to have breached by taking advantage of a critical flaw in Cleo’s software products, including LexiCom, VLTransfer, and Harmony. Cleo initially disclosed this vulnerability in an October 2024 security advisory, but it has since been actively exploited by hackers.
Details of the Vulnerability
The vulnerability in Cleo’s software was first identified in October 2024, but security researchers observed mass exploitation starting in December. Clop asserts that it has notified the affected organizations. However, the gang claims that none of these entities engaged in negotiations. As a result, Clop threatens to publicly release the stolen data on January 18 if its ransom demands are not met.
Impact on Corporate Victims
Enterprise file transfer tools are particularly attractive targets for ransomware groups, including Clop, due to the sensitive information often housed within these systems. In past incidents, Clop has successfully exploited vulnerabilities in Progress Software’s MOVEit Transfer product and Fortra’s GoAnywhere managed file transfer software.
Confirmed Breaches
Following this recent hacking spree, at least one company has acknowledged a breach associated with Clop’s attacks on Cleo systems. German manufacturing giant Covestro stated that it had been contacted by the Clop gang and confirmed unauthorized access to specific data stores on its systems.
Covestro spokesperson Przemyslaw Jedrysik commented, “We confirmed there was unauthorized access to a U.S. logistics server, which is used to exchange shipping information with our transportation providers.” He further noted, “In response, we have taken measures to ensure system integrity and enhance security monitoring.”
Victims Dispute Clop’s Claims
While some companies have confirmed breaches, others have disputed Clop’s allegations. For instance, Hertz stated it is “aware” of Clop’s claims but found “no evidence that Hertz data or systems have been impacted.”
Similarly, Linfox, an Australian logistics firm listed by Clop, denied any cyber incidents involving its systems, stating it does not use Cleo software.
Response from Other Affected Organizations
Additional companies, including Arrow Electronics and Western Alliance Bank, have also reported finding no evidence of system compromises. Blue Yonder, a software supply chain giant that experienced a ransomware attack in November, has not updated its cybersecurity incident page since December 12. A spokesperson mentioned that while Blue Yonder uses Cleo for certain file transfers, they have no reason to believe the Cleo vulnerability is related to their prior attack.
Future Developments
As the situation unfolds, TechCrunch has not yet received responses from many of the organizations listed on Clop’s leak site. The gang claims it will add more victim organizations to its dark web leak site on January 21, raising concerns about the potential for further data breaches.
For more information on cybersecurity and how to protect your organization from ransomware threats, consider visiting CISA for valuable resources.
