Security Intelligence
Loading table of contents...
The Clop ransomware group has taken credit for the recent breaches of corporate networks via the exploitation of two vulnerabilities in Cleo’s Harmony, VLTrader, and LexiCom file transfer applications.
The first zero-day exploited by Clop, designated CVE-2024-50623, allowed unrestricted file uploads and downloads, which could lead to remote execution. It was discovered and patched by Cleo in versions 5.8.0.21 in October 2024.
Before it was patched, Clop was able to exploit vulnerable devices to install a backdoor in the form of a malicious Freemarker template that contained a reverse shell JavaScript.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
The second vulnerability, designated CVE-2024-55956, also allowed unrestricted file uploads and downloads and was subsequently exploited by Clop to deploy a backdoor called ‘Malichus’ that enabled data theft, command execution, and lateral movement. It was patched in December 2024 when Cleo released version 5.8.0.24 of Harmony, VLTrader, and LexiCom.
It was originally believed that a new ransomware group, known as Termite, was responsible for the Cleo compromises, however, a statement from Clop taking credit for its ‘CLEO Project’ set the record straight. Clop even decided to spread some Christmas cheer to certain victims of the campaign by permanently deleting data that was originally compromised before Cleo issued the December patch. But the cheer ends there, as Clop continues to extort data compromised after the patch.
Source: Bleeping Computer
Analysis
Clop has established itself as a specialist in identifying and exploiting critical vulnerabilities in secure file transfer platforms. In 2020–2021, Clop exploited multiple vulnerabilities in the Accellion File Transfer Appliance (FTA), including a SQL injection zero-day. The campaign affected dozens of government agencies and universities, with Clop deploying custom web shells like "DEWMODE" to exfiltrate sensitive data.
In early 2023, Clop shifted its focus to the GoAnywhere Managed File Transfer (MFT) software by Fortra, formerly HelpSystems. Clop leveraged a zero-day remote code execution vulnerability, CVE-2023-0669, to breach healthcare, financial, and manufacturing organizations.
Perhaps Clops most notorious campaign was when it exploited CVE-2023-34362, a critical SQL injection vulnerability in MOVEit Transfer by Progress Software, affecting hundreds of organizations worldwide. The group used the LemurLoot web shell to steal data and amplified its extortion efforts by publicly listing victims who refused to pay ransoms.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for emerging threats emanating from nation-state threat groups such as Clop. Field Effect MDR users are automatically notified if activity associated with these groups is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
If your organization uses a secure data transfer service, ensure proper mitigations are in place to detect unauthorized access, misconfigurations, and data theft before a vulnerability is officially announced.
While defending against ransomware attacks may seem intimidating at first, even a few simple, easy-to-implement best practices can help prevent attacks. Field Effect recommends that organizations adopt the following best practices:
Back up your data
Regular backups of sensitive and important information can help ensure business continuity during a ransomware attack. These backups should be stored somewhere different than the operational network so that they will not be encrypted during an attack, and thus can be used to restore devices.
Update and patch software
Regular patching, updating, and maintenance help protect against or eliminate known cybersecurity vulnerabilities in IT systems and is one of the most important steps you can take to improve your security.
Protect systems connected to the internet
Using a DNS firewall limits access to known malicious websites, helping to defend against potential social engineering attacks while blocking malicious code and securing access to cloud apps and corporate websites. Leveraging a virtual private network (VPN) can also help, giving workers a secure means of accessing corporate data or otherwise connecting to networks from remote locations.
Develop a culture of cybersecurity
Organizations should train employees to watch for and understand the tricks attackers use, spot and avoid potential phishing links, and flag requests for personal information or credentials.
Strong password policies, password managers, and multifactor authentication (MFA) also make it more difficult for threat actors to guess, brute force, or use stolen credentials.
Use a cybersecurity solution
Staying ahead of ransomware demands a view into what’s happening across your IT environment. Cybersecurity solutions like Field Effect MDR that detect and respond to suspicious activity across networks, end-user devices, and cloud services can help identify and mitigate potential threats early.
