Full Report
In what we can assure you is a new cybersecurity incident despite sounding incredibly similar to incidents of past notoriety: threat actors tied to a notorious ransomware and extortion group have exploited file-transfer software to carry out attacks. Clop has claimed responsibility for attacks tied to vulnerabilities in software made by Cleo, an Illinois-based IT […] The post Clop is back to wreak havoc via vulnerable file-transfer software appeared first on CyberScoop.
Analysis Summary
# Incident Report: Widespread Exploitation of Cleo File Transfer Software by Clop
## Executive Summary
Threat actors affiliated with the notorious ransomware and extortion group Clop have actively exploited newly disclosed vulnerabilities (CVE-2024-50623 and CVE-2024-55956) in Cleo file-transfer software (LexiCom, VLTrader, Harmony). The attacks, which began shortly before public disclosure, leveraged file upload/download flaws to execute code and steal sensitive data across approximately 10 known victim organizations in sectors like consumer products, food, and shipping. Response efforts are focused on identifying the scope of compromise following vendor patching and CISA KEV listing.
## Incident Details
- Discovery Date: Earlier this month (when Huntress Labs identified ongoing exploitation)
- Incident Date: Ongoing, exploiting vulnerabilities disclosed/patched in October and "last week" (prior to report date).
- Affected Organization: Cleo (Vendor), numerous customer organizations (e.g., Consumer products, Food, Shipping sectors).
- Sector: IT/Enterprise Software, exposed customers across various industries.
- Geography: Information not specified beyond Cleo being Illinois-based.
## Timeline of Events
### Initial Access
- Date/Time: Prior to detection; plausibly enabling systematic data extraction before public advisories.
- Vector: Exploitation of vulnerabilities in Cleo file-transfer software products (CVE-2024-50623 and CVE-2024-55956).
- Details: CVE-2024-50623 is an unrestricted file upload and download vulnerability leading to Remote Code Execution (RCE). CVE-2024-55956 allowed unauthenticated code execution via the Autorun directory.
### Lateral Movement
- Details: Not explicitly detailed, but post-compromise activity *may* include beacon deployment, suggesting intent for further activity beyond simple data theft, possibly ransomware deployment.
### Data Exfiltration/Impact
- Details: Clop claimed responsibility for stealing sensitive data. Attacks show characteristics of data theft refined since the MOVEit breach; impact is primarily data exposure/extortion.
### Detection & Response
- Date/Time: Huntress Labs identified mass exploitation earlier this month. CISA added one vulnerability to the KEV catalog on Tuesday.
- Response Actions: Cleo issued initial fixes in October for the first vulnerability, followed by a second patch last week, and an immediate patch for CVE-2024-55956.
## Attack Methodology
- Initial Access: Exploitation of RCE vulnerabilities in Cleo file-transfer appliances (CVE-2024-50623 & CVE-2024-55956).
- Persistence: Possible deployment of beacons observed in some victim environments.
- Privilege Escalation: RCE capabilities likely allowed local privilege escalation, though specific techniques are not detailed.
- Defense Evasion: Exploitation occurred prior to vendor advisories, suggesting actors had existing knowledge or zero-day assessment ability.
- Credential Access: Not specified.
- Discovery: Not specified beyond identifying accessible target systems within the Cleo customer base.
- Lateral Movement: Unspecified, but context suggests focus on data access rather than widespread internal network movement typical of ransomware deployment.
- Collection: Focused on gathering data residing on or accessible via the compromised file transfer service.
- Exfiltration: Implied data theft typical of Clop's extortion model.
- Impact: Data extortion and potential deployment of ransomware (observed beacon deployments).
## Impact Assessment
- Financial: Estimated costs for similar large-scale incidents (like MOVEit) run into billions of dollars for victims collectively.
- Data Breach: Sensitive data theft across approximately 10 confirmed victim businesses spanning consumer products, food, and shipping sectors. ~390 exposed systems identified via Shodan scans.
- Operational: Potential business disruption due to data loss and ongoing extortion demands.
- Reputational: Significant damage to client trust due to the high-profile nature of the exploiting group (Clop) and the repeat reliance on file-transfer software flaws.
## Indicators of Compromise
*(Note: Indicators are defanged as specific IoCs were not provided in the context)*
- Network indicators:
- Suspicious outbound connections from Cleo service endpoints accessing external C2 infrastructure.
- File indicators:
- Presence of newly dropped web shells or specialized data staging tools.
- Behavioral indicators:
- High volume outbound data transfers originating from the affected application server.
- Discovery of beacon activity suggesting preparation for secondary payloads.
## Response Actions
- Containment measures: Immediate application of vendor patches for CVE-2024-50623 and CVE-2024-55956 across all affected systems.
- Eradication steps: Thorough investigation to confirm whether data exfiltration was the sole objective, or if secondary malware (like ransomware) was deployed (indicated by beacon sightings).
- Recovery actions: Reviewing logs for data exfiltration confirmation and notifying potentially impacted customers and regulators.
## Lessons Learned
- Key takeaways: Threat actors are systematically focusing on zero-day exploitation or rapid exploitation of N-day vulnerabilities within enterprise file-transfer solutions (e.g., Cleo, MOVEit, GoAnywhere).
- What could have been done better: Organizations must prioritize patching critical vulnerabilities immediately, especially advisories concerning RCE in internet-facing infrastructure, even if vendor patches are iterative.
## Recommendations
- Prevention measures for similar incidents:
1. Implement robust segmentation for all file-transfer solutions, isolating them from the core internal network to limit potential lateral movement.
2. Employ advanced monitoring, focusing on unusual file upload/download activity and new process execution originating from these applications.
3. Review access controls and network trust placed on managed file transfer (MFT) appliances, treating them as high-value targets.