Aidan Murphy

Cl0p Ransomware Returns to Old Tactics With Cleo Mass Hack

In this blog series we spotlight one of the stories from our cybersecurity newsletter, Beacon.

After a relatively quiet 2024, Cl0p ransomware has returned to its old tricks with its latest slew of attacks, using zero-day vulnerabilities in the Cleo file transfer platform to breach at least 60 companies.

It is believed that Cl0p executed the attacks by taking advantage of two zero-day vulnerabilities in Cleo’s file transfer software programs: CVE-2024-50623 and CVE-2024-55956. Patches have now been issued for these vulnerabilities and users of Cleo are urged to update to the latest versions of all Cleo software.

Blue Yonder was the first victim that Cl0p claimed as part of its latest spree, before 59 further victims were listed on its dark web leak site in January and given until the 18th to engage in ransomware negotiations. The group has also implied that there are more organizations impacted that it could list in future.

This latest “mass hack” incident follows a long established Cl0p modus operandi of using a zero-day to quietly hack several organizations and then bulk-uploading victims at once.

This is exactly the same playbook the group has utilized in the past, compromising more than 100 organizations using a zero-day in Fortra’s GoAnywhere MFT secure file transfer software and more than 1,000 organizations using the notorious MOVEit vulnerability in 2023.

Cl0p had a relatively little activity in 2024 but this latest attack demonstrates that the group remains one of the greatest ransomware threats.

 

If you’d like the latest dark web news and insights delivered into your inbox every Thursday at 10am, SIGN UP to the email version of BEACON.