59 organizations reportedly victim to breaches caused by Cleo software bug

News
By
published

More victims expected to be revealed by suspected culprits

A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
(Image credit: Shutterstock)
  • At press time, Cleo’s Lexicom, VLTransfer and Harmony contain a bug it disclosed in October 2024
  • Threat actors were first observed to be exploiting it in December 2024
  • Ransomware group Clop has claimed 59 victims on its leak site, though some are disputing any intrusion

Clop, the Russian state-linked ransomware group, has now claimed to have hacked 59 companies after exploiting a known bug in a number of file transfer applications developed by software house Cleo.

The flaw, CVE-2024-50623, affects Cleo’s LexiCom, VLTransfer and Harmony software, inadvertently enables remote code execution, and was first disclosed on October 30, 2024. Clop later published the list of victims on its dark web site, though many are denying that a breach has taken place.

Clop is claiming to have issued intrusion notices to its victims, including Cleo itself, on its own website, but also that impacted companies are refusing to submit to ransom demands.

Cleo RCE bug impact

Przemyslaw Jedrysik, a spokesperson for German manufacturer Covestro, was one of the few willing to reveal the extent of the intrusion to TechCrunch.

He disclosed unauthorized access by Clop to a US logistics server, but that it has since “taken measures to ensure system integrity, enhance security monitoring and proactively notify customers”. He also claimed that information on this server wasn’t of a sensitive nature.

Spokespeople for several companies including car rental firm Hertz and Australian logistics company Linfox have, however, explicitly denied intrusions in statements to TechCrunch.

Clop also listed as a victim software supply chain enterprise Blue Yonder as a victim, though, at press time, it hasn’t issued any cybersecurity incident updates since December 12, 2024. However, a spokesperson did say in a statement to TechCrunch that Blue Yonder does use Cleo software, and that it was investigating potential unauthorized access to its servers.

The group is claiming it’ll disclose more of its victims in this attack on January 21, 2025, though the true scale of the attack remains unclear.

You might also like

Luke Hughes
Luke Hughes
Staff Writer

 Luke Hughes holds the role of Staff Writer at TechRadar Pro, producing news, features and deals content across topics ranging from computing to cloud services, cybersecurity, data privacy and business software.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.