59 organizations have reportedly fallen victim to breaches caused by a Cleo software flaw
- At the time of writing, Cleo’s Lexicom, VLTransfer and Harmony contain a bug that was revealed in October 2024
- Threat actors were first observed abusing it in December 2024
- Ransomware group Clop has claimed 59 victims on the leak site, although some dispute any breach
Clop, the Russian state-linked ransomware group, has now claimed to have hacked 59 companies after exploiting a known bug in a number of file transfer applications developed by software house Cleo.
The lack, CVE-2024-50623affects Cleo’s LexiCom, VLTransfer, and Harmony software, unintentionally allows remote code execution, and was first disclosed on October 30, 2024. Clop later published the list of victims on its dark website, although many deny there were any an infringement has occurred.
Clop claims to have issued breach notices on its own website to its victims, including Cleo itself, but also that affected companies are refusing to submit to ransom demands.
Cleo RCE bug impact
Przemyslaw Jedrysik, spokesman for German manufacturer Covestro, was one of the few willing to reveal the extent of the internet breach. TechCrunch.
He disclosed unauthorized access by Clop to a US logistics server, but said it has since taken “measures to ensure system integrity, enhance security monitoring and proactively notify customers”. He also claimed that the information on this server was not of a sensitive nature.
However, spokespersons for several companies, including car rental company Hertz and Australian logistics company Linfox, have explicitly denied that the law has been breached. TechCrunch.
Clop also listed Blue Yonder as a victim of the software vendor Blue Yonder, although at the time of writing it has not released updates on cybersecurity incidents since December 12, 2024. However, a spokesperson said in a statement to TechCrunch that Blue Yonder does use Cleo software and is investigating possible unauthorized access to its servers.
The group claims it will reveal more victims in this attack on January 21, 2025, although the true scale of the attack remains unclear.