Cl0p ransomware group says it was behind Cleo attacks

by DTM | Posted on
  • Cl0p confirmed abusing Cleo to target organizations
  • The group said it deletes all government and healthcare data
  • The same threat actor was behind the MOVEit cyberattack

Cl0p ransomware, the hacking group that was responsible for the infamous MOVEit data leak fiasco, has now claimed it was also behind the recent Cleo attacks.

Security researchers from Huntress recently revealed three managed file transfer (MFT) products from Cleo were carrying an unrestricted file upload and download vulnerability that could lead to remote code execution (RCE).

The bug is tracked as CVE-2024-50623, and was found in LexiCom, VLTransfer, and Harmony. Cleo released a patch for it in October 2024, but apparently it wasn’t effective.

The attack “project”

Huntress also said that it spotted at least two dozen compromised organizations, since the flaw was actively exploited in the wild:

“Victim organizations so far have included various consumer product companies, logistics and shipping organizations, and food suppliers,” Huntress said in its writeup, adding that countless other companies are at risk.

Soon after Huntress’ announcement, the US Cybersecurity and Infrastructure Security Agency (CISA) added the bug to its Known Exploited Vulnerabilities (KEV) catalog, confirming the findings and giving federal agencies three weeks to patch up or stop using the tools entirely.

At first, the attack was not attributed to any particular group, since the evidence was inconclusive. However, over the weekend, BleepingComputer contacted Cl0p, who confirmed being behind the attacks:

“As for CLEO, it was our project (including the previous cleo) – which was successfully completed,” the group told the publication. “All the information that we store, when working with it, we observe all security measures. If the data is government services, institutions, medicine, then we will immediately delete this data without hesitation (let me remind you about the last time when it was with moveit – all government data, medicine, clinics, data of scientific research at the state level were deleted), we comply with our regulations.”

Clearly, Cl0p does not want to dabble with government or healthcare data, since that incurs the wrath of law enforcement, and most ransomware actors that went for government or healthcare data ended up dismantled, or at least seriously disrupted.

You might also like