The Clop ransomware group has claimed responsibility for attacks exploiting a critical vulnerability in Cleo managed file transfer platforms Harmony, VLTrader and LexiCom.
Clop, which was behind the massive 2023 MOVEit Transfer supply chain attack that affected nearly 2,800 organizations, told BleepingComputer that it was behind attacks on the zero-day Cleo vulnerability tracked as CVE-2024-50623 and continued its attacks after CVE-2024-50623 was patched in October using a second flaw tracked as CVE-2024-55956.
“The new Cleo vulnerability (CVE-2024-55956) is an unauthenticated file write vulnerability. It is not a patch bypass of the older vulnerability (CVE-2024-50623), as the root cause is different – CVE-2024-50623 is an unauthenticated file read and write vulnerability,” Rapid7 Principal Security Researcher Stephen Fewer explained in an email to SC Media. “The two vulnerabilities are not chained together to achieve RCE. CVE-2024-55956 can be exploited by itself to achieve unauthenticated RCE.”
Fewer noted that both flaws occur in similar parts of the Cleo product code bases and can be reached via the same target endpoints but require different exploitation strategies. The newer flaw was addressed by Cleo late last week, with users of Cleo Harmony, VLTrader and LexiCom now urged to upgrade to version 5.8.0.24 to fully resolve the vulnerability.
Cybersecurity researchers at Huntress discovered the second flaw and reported on Dec. 9 that, based on its telemetry Cleo servers of at least 10 businesses were compromised in an ongoing exploitation campaign. Attackers were observed deploying a previously unknown Java backdoor on compromised Cleo server, Huntress said in another blog post published Dec. 11; researchers dubbed this new malware “Malichus.”
Rapid7 also published an analysis of the Malichus backdoor and a blog post on the ongoing exploitation campaign, recommending immediate updates, removal of Cleo products from public internet access and disabling of Cleo’s Autorun directory, which is a key part of the exploitation chain for CVE-2024-55956.
While some cybersecurity researchers, including Kevin Beaumont, linked the Cleo attacks to the Termite ransomware group, which claimed a supply chain attack on Blue Yonder earlier this year, Clop has said it is responsible for the Cleo campaign both in statements to BleepingComputer and on its leak site. It is unclear if there is any connection between Termite and Clop.
Clop’s leak site now features a message stating that all data from previous victim companies will be deleted from its servers and that the gang will now only focus on Cleo victims. The gang told BleepingComputer that it was not sure of the exact number of victims in its Cleo campaign but that there were “quite a lot.”
The Clop ransomware group, which has been active since 2019, is known for its targeted exploitation of file transfer services, including Progress Software MOVEit and Fortra GoAnywhere in 2023 and Accellion in 2020. Black Kite Chief Research and Intelligence Officer Ferhat Dikbiyik told SC Media that the Cleo campaign “mirrors the MOVEit attacks of 2023” and could have a wide blast radius as in past supply chain attacks conducted by the Clop gang.
“Considering the impact of MOVEit, thousands of companies could be affected, either directly or indirectly. Organizations must stay vigilant, patch immediately, and assess their exposure to these vulnerabilities,” Dikbiyik said. “It’s the holiday gift nobody wanted.”
