Headline
Cl0p Ransomware Exploits Cleo Vulnerability, Threatens Data Leaks
SUMMARY The Cl0p ransomware group has recently claimed responsibility for exploiting a critical vulnerability in Cleo’s managed file…
****SUMMARY****
Cleo Vulnerability Exploited: The Cl0p ransomware group claims to have exploited a critical vulnerability in Cleo’s managed file transfer software, targeting businesses globally.
Data Leak Threats: Cl0p has announced plans to publish stolen data from affected organizations, increasing pressure on victims to pay ransom.
Repeat Tactics: The attack mirrors Cl0p’s strategy used in the MOVEit and GoAnywhere breaches, focusing on high-impact vulnerabilities in widely used software.
Supply Chain Risks: The exploitation of Cleo software poses a significant risk to supply chains, potentially disrupting operations across multiple industries.
Urgent Patching Advised: Security experts urge organizations using Cleo products to immediately apply patches, review system security, and monitor for signs of compromise.
The Cl0p ransomware group has recently claimed responsibility for exploiting a critical vulnerability in Cleo’s managed file transfer (MFT) software, specifically targeting Cleo Harmony, VLTrader, and LexiCom products. This mirrors their previous attack on Progress Software’s MOVEit Transfer in 2023, where they exploited a zero-day vulnerability to breach systems and steal data.
In the MOVEit incident, Cl0p utilized a SQL injection vulnerability (CVE-2023-34362) to deploy a web shell named LEMURLOOT, enabling unauthorized access to databases and the extraction of sensitive information. This attack impacted several organizations globally, including government agencies and private enterprises, leading to significant data breaches and operational disruptions.
****Cleo Vulnerability****
The recent exploitation of Cleo’s software follows a similar modus operandi. Cl0p has announced its involvement, indicating the use of zero-day exploits to breach corporate networks and steal data. The specific vulnerability, now identified as CVE-2024-55956, has been acknowledged by Cleo, and organizations utilizing these products are urged to apply patches immediately to mitigate potential risks.
On its dark web blog, as seen by Hackread.com, the group posted the following message to substantiate its claims:
“Dear companies Due to recent events (attack of CLEO) all links to data of all companies will be disabled and data will be permanently deleted from servers. We will work only with new companies Happy New Year © CL0P^_.”
Screenshot from Cl0p Ransomware’s dark web leak site (Credit: Hackread.com)
Ferhat Dikbiyik, Chief Research and Intelligence Officer at Black Kite commented on the situation:
“The Cl0p ransomware group has announced they’ll begin publishing victims from attacks exploiting CLEO vulnerabilities. This mirrors the MOVEit attacks of 2023, following Cl0p’s signature playbook: they don’t operate year-round but execute mass exploitation of Managed File Transfer (MFT) vulnerabilities in single, high-impact campaigns. We’ve seen this with GoAnywhere, with MOVEit, and now with CLEO,“ said Ferhat.
“Considering the impact of MOVEit, thousands of companies could be affected, either directly or indirectly. Organizations must stay vigilant, patch immediately, and assess their exposure to these vulnerabilities. It’s the holiday gift nobody wanted,“ he warned.
Cl0p’s strategy involves identifying and exploiting vulnerabilities in widely used MFT solutions and conducting large-scale attacks that can affect thousands of organizations simultaneously. Their approach emphasizes the importance of timely patch management and the need for organizations to maintain robust security postures, especially concerning third-party software dependencies.
- Starbucks Goes Manual After Blue Yonder Ransomware Attack
- Cl0p ransomware group members arrested, infrastructure seized
- Cl0p ransomware gang leaks sensitive data from 6 US universities
- TDECU Data Breach: 500,000+ Members Affected by MOVEit Exploit
- Massive MOVEit Hack: 630K+ US Defense Officials’ Emails Breached
Related news
While Progress has released patches for the vulnerabilities, attackers are trying to exploit them before organizations have a chance to remediate.
A newly disclosed critical security flaw impacting Progress Software MOVEit Transfer is already seeing exploitation attempts in the wild shortly after details of the bug were publicly disclosed. The vulnerability, tracked as CVE-2024-5806 (CVSS score: 9.1), concerns an authentication bypass that impacts the following versions - From 2023.0.0 before 2023.0.11 From 2023.1.0 before 2023.1.6, and&
Categories: Threat Intelligence Following a three-month lull of activity, Cl0p returned with a vengeance in June and beat out LockBit as the month’s most active ransomware gang. (Read more...) The post Ransomware review: July 2023 appeared first on Malwarebytes Labs.
Progress Software has announced the discovery and patching of a critical SQL injection vulnerability in MOVEit Transfer, popular software used for secure file transfer. In addition, Progress Software has patched two other high-severity vulnerabilities. The identified SQL injection vulnerability, tagged as CVE-2023-36934, could potentially allow unauthenticated attackers to gain unauthorized
The announcement was posted on Twitter via the Rewards for Justice Twitter account, alongside encrypted messaging system options for anyone to get into contact should they have viable information.
MOVEit has created a patch to fix the issue and urges customers to take action to protect their environments, as Cl0p attacks continue to mount, including on government targets.
Progress Software on Thursday disclosed a third vulnerability impacting its MOVEit Transfer application, as the Cl0p cybercrime gang deployed extortion tactics against affected companies. The new flaw, which is yet to be assigned a CVE identifier, also concerns an SQL injection vulnerability that "could lead to escalated privileges and potential unauthorized access to the environment." The
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have published a joint advisory regarding the active exploitation of a recently disclosed critical flaw in Progress Software's MOVEit Transfer application to drop ransomware. "The Cl0p Ransomware Gang, also known as TA505, reportedly began exploiting a previously unknown SQL injection
Microsoft has officially linked the ongoing active exploitation of a critical flaw in the Progress Software MOVEit Transfer application to a threat actor it tracks as Lace Tempest. "Exploitation is often followed by deployment of a web shell with data exfiltration capabilities," the Microsoft Threat Intelligence team said in a series of tweets today. "CVE-2023-34362 allows attackers to
In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS.