Clop Ransomware gang, which is suspected to have connections with Russian intelligence, has successfully exploited a vulnerability in Cleo File Transfer software, bypassing the company’s servers through a security update release. This breach has exposed critical risks to numerous businesses that rely on Cleo’s products for secure data transfers.
According to a statement from Cleo, three of its key productsāHarmony, VLTrader, and LexiComāwere compromised through a remote code execution (RCE) attack, which enabled the cybercriminals to steal sensitive intellectual property from the company. This attack highlights the severity of the breach, as Cleo is a major provider of IT supply chain software to many organizations. As such, this hack could potentially have far-reaching consequences for their clients, similar to the catastrophic MoveIT cyber-attack earlier this year.
Initial investigations suggest that Cleo has patched the zero-day vulnerability that allowed the ransomware gang to infiltrate its servers. However, many of its clients remain unaware of the situation, leaving them vulnerable to further attacks or network exploits. The risk of these clients falling victim to the same exploit is high if immediate action is not taken to secure their systems.
Earlier this year, the U.S. Department of Justice had offered a $10 million reward for information leading to the capture of the members of the Clop ransomware group. To qualify for the reward, the information must be credible and lead to the successful arrest of the criminals responsible for these attacks.
Interestingly, despite the attack being launched in October 2024, the Clop gang initially chose to stay silent. However, when some media outlets mistakenly attributed the breach to the “Termite” ransomware group, Clop revealed their identity. In an unexpected move, they claimed that they would delete all the stolen data that had been put up for sale on the dark web. This act raises questions about the gangās motivesāwhether it is an attempt to create psychological pressure on the victims or if they were simply trying to cover their tracks after making a significant profit from the stolen information.
This situation also suggests an intriguing dynamic: when a ransomware group hides behind another criminal gangās name, speculating or falsely attributing the attack to another group might provoke the actual attackers into revealing themselves. This tactic could serve as a potential strategy to unmask or disrupt ransomware gangs, forcing them to take actions that might otherwise have remained hidden.
The evolving nature of cyber-attacks, the shifting tactics of ransomware gangs, and the vulnerability of critical supply chain software underscore the growing need for vigilance in cybersecurity practices. For businesses using Cleo or similar services, the potential for a repeat attack is real, and immediate steps must be taken to safeguard against further exploitation.
