The prolific Clop ransomware gang has named dozens of company victims it claims to have hacked in latest weeks after exploiting a vulnerability in a number of enterprise widespread file switch merchandise developed by U.S. software program firm Cleo.
In a submit on its darkish internet leak website, seen by TechCrunch, the Russia-linked Clop gang listed 59 organizations it claims to have breached by exploiting the high-risk bug in Cleo’s software program instruments.
The flaw impacts Cleo’s LexiCom, VLTransfer, and Harmony merchandise. Cleo first disclosed the vulnerability in an October 2024 safety advisory earlier than safety researchers noticed hackers mass exploiting the vulnerability months later in December.
Clop claimed in its submit that it notified the organizations it breached, however that the sufferer organizations didn’t negotiate with the hackers. Clop is threatening to publish the info it allegedly stole on January 18 except its ransom calls for are paid.
Enterprise file switch instruments are a preferred goal amongst ransomware hackers — and Clop, particularly — given the delicate knowledge typically saved in these methods. In latest years, the ransomware gang beforehand exploited vulnerabilities in Progress Software’s MOVEit Transfer product, and later took credit score for the mass exploitation of a vulnerability in Fortra’s GoAnywhere managed file switch software program.
Following its most up-to-date hacking spree, at the very least one firm has confirmed an intrusion linked to Clop’s assaults on Cleo methods.
German manufacturing large Covestro informed TechCrunch that it had been contacted by Clop, and has since confirmed that the gang accessed sure knowledge shops on its methods.
“We confirmed there was unauthorized entry to a U.S. logistics server, which is used to alternate transport info with our transportation suppliers,” Covestro spokesperson Przemyslaw Jedrysik mentioned in an announcement. “In response, we’ve got taken measures to make sure system integrity, improve safety monitoring and proactively notify clients.
Jedrysik confirmed that “nearly all of the knowledge contained on the server was not of a delicate nature,” however declined to say what kinds of knowledge had been accessed.
Other alleged victims that TechCrunch has spoken with have disputed Clop’s claims, and say they weren’t compromised as a part of the gang’s newest mass-hack marketing campaign.
Emily Spencer, a spokesperson for U.S. automobile rental large Hertz, mentioned in an announcement that the corporate is “conscious” of Clop’s claims, however mentioned there may be “no proof that Hertz knowledge or Hertz methods have been impacted presently.”
“Out of an abundance of warning, we’re persevering with to actively monitor this matter with the assist of our third-party cybersecurity accomplice,” Spencer added.
Christine Panayotou, a spokesperson for Linfox, an Australian logistics agency that Clop listed on its leak website, additionally disputed the gang’s claims, saying the corporate doesn’t use Cleo software program and has “not skilled a cyber incident involving its personal methods.”
When requested if Linfox had knowledge accessed as a consequence of a cyber incident involving a third-party, Panayotou didn’t reply.
Spokespeople for Arrow Electronics and Western Alliance Bank additionally informed TechCrunch that they’ve discovered no proof that their methods had been compromised.
Clop additionally listed the not too long ago breached software program provide chain large Blue Yonder. The firm, which confirmed a November ransomware assault, has not up to date its cybersecurity incident web page since December 12.
Blue Yonder spokesperson Marina Renneke reiterated an earlier assertion to TechCrunch, noting that the corporate “makes use of Cleo to assist and handle sure file transfers” and that it was investigating any potential entry, however added that the corporate has “no motive to imagine the Cleo vulnerability is related to the cybersecurity incident we skilled in November.” The firm didn’t present proof for the declare.
When requested by TechCrunch, not one of the corporations that responded would say if that they had the technical means, reminiscent of logs, to detect entry or exfiltration of their knowledge.
TechCrunch has not but acquired responses from the opposite organizations listed on Clop’s leak website. Clop claims it’ll add extra sufferer organizations to its darkish internet leak website on January 21.
It’s not but recognized what number of corporations have been focused, and Cleo — which itself has been listed as a sufferer of Clop — didn’t reply to TechCrunch’s questions.
