5 Things To Know On The Cleo Data Theft Attacks

The cybercriminal group Clop — previously responsible for the widely felt MOVEit data theft attacks of 2023 — has reportedly claimed responsibility for the recent attacks exploiting Cleo file transfer tools.

The cybercriminal group Clop has claimed responsibility for the recent attacks exploiting the Cleo managed file transfer tool, according to media reports.

BleepingComputer reported Sunday that Clop has claimed to have compromised numerous companies in connection with the attacks.

The attacks come as data security concerns continue to rise among organizations, amid intensifying risks of data exposure — due in part to a growing focus on data theft and extortion among threat actors.

What follows are five things to know about the Cleo data theft attacks.

Cleo Tools Exploited

On Friday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) disclosed that multiple products from Cleo, a B2B tech platform provider, are vulnerable to a software flaw (tracked at CVE-2024-50623) that has been exploited in cyberattacks.

Cleo managed file transfer tools that were impacted are Cleo Harmony, VLTrader and LexiCom, CISA said.

Cleo said earlier this month that it “has identified an unrestricted file upload and download vulnerability that could lead to remote code execution,” though the company does not appear to have disclosed that the flaw has seen exploitation.

Cleo said customers should upgrade the affected tools to the latest release, version 5.8.0.21, containing a fix for the vulnerability.

Clop Claims Responsibility

According to the BleepingComputer report Sunday, a representative of Clop — a Russian-speaking cybercriminal group known for a prolific wave of attacks in 2023 — confirmed to the outlet that the gang has been behind the Cleo data-theft attacks.

It’s not known so far how many victims may have been impacted in the attacks, though Clop claimed to have stolen data from a significant number of companies by exploiting the Cleo vulnerability.

CRN has reached out to Cleo for comment.

Clop’s Prior Attacks

Clop’s widespread attacks exploiting Progress’ MOVEit file transfer tool in 2023 ranked among the largest data-theft campaigns in recent memory.

The MOVEit data theft and extortion attacks in 2023 struck a total of 2,773 organizations and nearly 96 million individuals, making it one of the largest data heists in recent years, according to tallies by cybersecurity firm Emsisoft.

Within the IT industry, victims of the MOVEit data extortion campaign included IBM, Cognizant, Deloitte, PricewaterhouseCoopers and Ernst & Young.

Data Leaks Implied

Clop reportedly told BleepingComputer that it was removing information on its darkweb leaks site related to prior data thefts during the MOVEit campaign.

The group reportedly suggested it would only engage with newly compromised companies going forward, implying that data leaks from the recent Cleo attacks may be forthcoming.

Cleo Customer Base

On its website, Cleo said that 4,000 customers use its MFT tools.

Customers listed as using Cleo’s MFT tools include Brother, Ryder, New Balance and Duraflame.

“Cleo strongly advises all customers to immediately upgrade instances of Harmony, VLTrader, and LexiCom to the latest released patch (version 5.8.0.21) to address additional discovered potential attack vectors of the vulnerability,” Cleo said in its advisory from earlier this month.