The prolific Clop ransomware gang has named dozens of company victims it claims to have hacked in latest weeks after exploiting a vulnerability in a number of enterprise well-liked file switch merchandise developed by U.S. software program firm Cleo.
In a publish on its darkish internet leak website, seen by TechCrunch, the Russia-linked Clop gang listed 59 organizations it claims to have breached by exploiting the high-risk bug in Cleo’s software program instruments.
The flaw impacts Cleo’s LexiCom, VLTransfer, and Concord merchandise. Cleo first disclosed the vulnerability in an October 2024 safety advisory earlier than safety researchers noticed hackers mass exploiting the vulnerability months later in December.
Clop claimed in its publish that it notified the organizations it breached, however that the sufferer organizations didn’t negotiate with the hackers. Clop is threatening to publish the info it allegedly stole on January 18 until its ransom calls for are paid.
Enterprise file switch instruments are a well-liked goal amongst ransomware hackers — and Clop, particularly — given the delicate information usually saved in these methods. In recent times, the ransomware gang beforehand exploited vulnerabilities in Progress Software program’s MOVEit Switch product, and later took credit score for the mass exploitation of a vulnerability in Fortra’s GoAnywhere managed file switch software program.
Following its most up-to-date hacking spree, no less than one firm has confirmed an intrusion linked to Clop’s assaults on Cleo methods.
German manufacturing big Covestro informed TechCrunch that it had been contacted by Clop, and has since confirmed that the gang accessed sure information shops on its methods.
“We confirmed there was unauthorized entry to a U.S. logistics server, which is used to change transport info with our transportation suppliers,” Covestro spokesperson Przemyslaw Jedrysik mentioned in a press release. “In response, we now have taken measures to make sure system integrity, improve safety monitoring and proactively notify clients.
Jedrysik confirmed that “the vast majority of the data contained on the server was not of a delicate nature,” however declined to say what forms of information had been accessed.
Different alleged victims that TechCrunch has spoken with have disputed Clop’s claims, and say they weren’t compromised as a part of the gang’s newest mass-hack marketing campaign.
Emily Spencer, a spokesperson for U.S. automobile rental big Hertz, mentioned in a press release that the corporate is “conscious” of Clop’s claims, however mentioned there may be “no proof that Hertz information or Hertz methods have been impacted right now.”
“Out of an abundance of warning, we’re persevering with to actively monitor this matter with the assist of our third-party cybersecurity associate,” Spencer added.
Christine Panayotou, a spokesperson for Linfox, an Australian logistics agency that Clop listed on its leak website, additionally disputed the gang’s claims, saying the corporate doesn’t use Cleo software program and has “not skilled a cyber incident involving its personal methods.”
When requested if Linfox had information accessed attributable to a cyber incident involving a third-party, Panayotou didn’t reply.
Spokespeople for Arrow Electronics and Western Alliance Financial institution additionally informed TechCrunch that they’ve discovered no proof that their methods had been compromised.
Clop additionally listed the just lately breached software program provide chain big Blue Yonder. The corporate, which confirmed a November ransomware assault, has not up to date its cybersecurity incident web page since December 12.
Blue Yonder spokesperson Marina Renneke reiterated an earlier assertion to TechCrunch, noting that the corporate “makes use of Cleo to assist and handle sure file transfers” and that it was investigating any potential entry, however added that the corporate has “no cause to consider the Cleo vulnerability is related to the cybersecurity incident we skilled in November.” The corporate didn’t present proof for the declare.
When requested by TechCrunch, not one of the firms that responded would say if they’d the technical means, akin to logs, to detect entry or exfiltration of their information.
TechCrunch has not but acquired responses from the opposite organizations listed on Clop’s leak website. Clop claims it should add extra sufferer organizations to its darkish internet leak website on January 21.
It’s not but recognized what number of firms have been focused, and Cleo — which itself has been listed as a sufferer of Clop — didn’t reply to TechCrunch’s questions.
