The prolific Clop ransomware gang has named dozens of company victims it claims to have hacked in current weeks after exploiting a vulnerability in a number of enterprise fashionable file switch merchandise developed by U.S. software program firm Cleo.
In a publish on its darkish internet leak web site, seen by TechCrunch, the Russia-linked Clop gang listed 59 organizations it claims to have breached by exploiting the high-risk bug in Cleo’s software program instruments.
The flaw impacts Cleo’s LexiCom, VLTransfer, and Concord merchandise. Cleo first disclosed the vulnerability in an October 2024 safety advisory earlier than safety researchers noticed hackers mass exploiting the vulnerability months later in December.
Clop claimed in its publish that it notified the organizations it breached, however that the sufferer organizations didn’t negotiate with the hackers. Clop is threatening to publish the info it allegedly stole on January 18 until its ransom calls for are paid.
Enterprise file switch instruments are a preferred goal amongst ransomware hackers — and Clop, particularly — given the delicate knowledge typically saved in these programs. In recent times, the ransomware gang beforehand exploited vulnerabilities in Progress Software program’s MOVEit Switch product, and later took credit score for the mass exploitation of a vulnerability in Fortra’s GoAnywhere managed file switch software program.
Following its most up-to-date hacking spree, no less than one firm has confirmed an intrusion linked to Clop’s assaults on Cleo programs.
German manufacturing large Covestro informed TechCrunch that it had been contacted by Clop, and has since confirmed that the gang accessed sure knowledge shops on its programs.
“We confirmed there was unauthorized entry to a U.S. logistics server, which is used to trade delivery info with our transportation suppliers,” Covestro spokesperson Przemyslaw Jedrysik mentioned in a press release. “In response, we’ve taken measures to make sure system integrity, improve safety monitoring and proactively notify clients.
Jedrysik confirmed that “the vast majority of the knowledge contained on the server was not of a delicate nature,” however declined to say what sorts of knowledge had been accessed.
Different alleged victims that TechCrunch has spoken with have disputed Clop’s claims, and say they weren’t compromised as a part of the gang’s newest mass-hack marketing campaign.
Emily Spencer, a spokesperson for U.S. automotive rental large Hertz, mentioned in a press release that the corporate is “conscious” of Clop’s claims, however mentioned there’s “no proof that Hertz knowledge or Hertz programs have been impacted right now.”
“Out of an abundance of warning, we’re persevering with to actively monitor this matter with the assist of our third-party cybersecurity companion,” Spencer added.
Christine Panayotou, a spokesperson for Linfox, an Australian logistics agency that Clop listed on its leak web site, additionally disputed the gang’s claims, saying the corporate doesn’t use Cleo software program and has “not skilled a cyber incident involving its personal programs.”
When requested if Linfox had knowledge accessed on account of a cyber incident involving a third-party, Panayotou didn’t reply.
Spokespeople for Arrow Electronics and Western Alliance Financial institution additionally informed TechCrunch that they’ve discovered no proof that their programs had been compromised.
Clop additionally listed the lately breached software program provide chain large Blue Yonder. The corporate, which confirmed a November ransomware assault, has not up to date its cybersecurity incident web page since December 12.
Blue Yonder spokesperson Marina Renneke reiterated an earlier assertion to TechCrunch, noting that the corporate “makes use of Cleo to assist and handle sure file transfers” and that it was investigating any potential entry, however added that the corporate has “no cause to imagine the Cleo vulnerability is linked to the cybersecurity incident we skilled in November.” The corporate didn’t present proof for the declare.
When requested by TechCrunch, not one of the firms that responded would say if that they had the technical means, resembling logs, to detect entry or exfiltration of their knowledge.
TechCrunch has not but obtained responses from the opposite organizations listed on Clop’s leak web site. Clop claims it can add extra sufferer organizations to its darkish internet leak web site on January 21.
It’s not but identified what number of firms have been focused, and Cleo — which itself has been listed as a sufferer of Clop — didn’t reply to TechCrunch’s questions.
