Cl0p ransomware group says it was behind Cleo attacks

Cl0p confirmed abusing Cleo to target organizations
The group said it deletes all government and healthcare data
The same threat actor was behind the MOVEit cyberattack

Cl0p ransomware, the hacking group that was responsible for the infamous MOVEit data leak fiasco, has now claimed it was also behind the recent Cleo attacks.

Security researchers from Huntress recently revealed three managed file transfer (MFT) products from Cleo were carrying an unrestricted file upload and download vulnerability that could lead to remote code execution (RCE).

The bug is tracked as CVE-2024-50623, and was found in LexiCom, VLTransfer, and Harmony. Cleo released a patch for it in October 2024, but apparently it wasn’t effective.

The attack "project"

Huntress also said that it spotted at least two dozen compromised organizations, since the flaw was actively exploited in the wild:

“Victim organizations so far have included various consumer product companies, logistics and shipping organizations, and food suppliers,” Huntress said in its writeup, adding that countless other companies are at risk.

Soon after Huntress’ announcement, the US Cybersecurity and Infrastructure Security Agency (CISA) added the bug to its Known Exploited Vulnerabilities (KEV) catalog, confirming the findings and giving federal agencies three weeks to patch up or stop using the tools entirely.

At first, the attack was not attributed to any particular group, since the evidence was inconclusive. However, over the weekend, BleepingComputer contacted Cl0p, who confirmed being behind the attacks:

“As for CLEO, it was our project (including the previous cleo) - which was successfully completed,” the group told the publication. “All the information that we store, when working with it, we observe all security measures. If the data is government services, institutions, medicine, then we will immediately delete this data without hesitation (let me remind you about the last time when it was with moveit - all government data, medicine, clinics, data of scientific research at the state level were deleted), we comply with our regulations.”

Clearly, Cl0p does not want to dabble with government or healthcare data, since that incurs the wrath of law enforcement, and most ransomware actors that went for government or healthcare data ended up dismantled, or at least seriously disrupted.

US government agency confirms it was hit by major ransomware attack
Here's a list of the best antivirus
These are the best endpoint protection tools right now

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.