59 organizations reportedly victim to breaches caused by Cleo software bug
Unsurprisingly, spokespeople for Clop’s corporate victims are being coy about the extent of the intrusions into their servers, or refusing to admit any at all.
- At press time, Cleo’s Lexicom, VLTransfer and Harmony contain a bug it disclosed in October 2024
- Threat actors were first observed to be exploiting it in December 2024
- Ransomware group Clop has claimed 59 victims on its leak site, though some are disputing any intrusion
Clop, the Russian state-linked ransomware group, has now claimed to have hacked 59 companies after exploiting a known bug in a number of file transfer applications developed by software house Cleo.
The flaw, CVE-2024-50623, affects Cleo’s LexiCom, VLTransfer and Harmony software, inadvertently enables remote code execution, and was first disclosed on October 30, 2024. Clop later published the list of victims on its dark web site, though many are denying that a breach has taken place.
Clop is claiming to have issued intrusion notices to its victims, including Cleo itself, on its own website, but also that impacted companies are refusing to submit to ransom demands.
Cleo RCE bug impact
Przemyslaw Jedrysik, a spokesperson for German manufacturer Covestro, was one of the few willing to reveal the extent of the intrusion to TechCrunch.
He disclosed unauthorized access by Clop to a US logistics server, but that it has since “taken measures to ensure system integrity, enhance security monitoring and proactively notify customers”. He also claimed that information on this server wasn’t of a sensitive nature.
Spokespeople for several companies including car rental firm Hertz and Australian logistics company Linfox have, however, explicitly denied intrusions in statements to TechCrunch.
Clop also listed as a victim software supply chain enterprise Blue Yonder as a victim, though, at press time, it hasn’t issued any cybersecurity incident updates since December 12, 2024. However, a spokesperson did say in a statement to TechCrunch that Blue Yonder does use Cleo software, and that it was investigating potential unauthorized access to its servers.
The group is claiming it’ll disclose more of its victims in this attack on January 21, 2025, though the true scale of the attack remains unclear.
