The prolific Clop ransomware gang has named dozens of company victims it claims to have hacked in current weeks after exploiting a vulnerability in a number of enterprise in style file switch merchandise developed by U.S. software program firm Cleo.
In a put up on its darkish net leak web site, seen by TechCrunch, the Russia-linked Clop gang listed 59 organizations it claims to have breached by exploiting the high-risk bug in Cleo’s software program instruments.
The flaw impacts Cleo’s LexiCom, VLTransfer, and Concord merchandise. Cleo first disclosed the vulnerability in an October 2024 safety advisory earlier than safety researchers noticed hackers mass exploiting the vulnerability months later in December.
Clop claimed in its put up that it notified the organizations it breached, however that the sufferer organizations didn’t negotiate with the hackers. Clop is threatening to publish the information it allegedly stole on January 18 until its ransom calls for are paid.
Enterprise file switch instruments are a preferred goal amongst ransomware hackers — and Clop, specifically — given the delicate information usually saved in these techniques. Lately, the ransomware gang beforehand exploited vulnerabilities in Progress Software program’s MOVEit Switch product, and later took credit score for the mass exploitation of a vulnerability in Fortra’s GoAnywhere managed file switch software program.
Following its most up-to-date hacking spree, no less than one firm has confirmed an intrusion linked to Clop’s assaults on Cleo techniques.
German manufacturing large Covestro informed TechCrunch that it had been contacted by Clop, and has since confirmed that the gang accessed sure information shops on its techniques.
“We confirmed there was unauthorized entry to a U.S. logistics server, which is used to alternate transport data with our transportation suppliers,” Covestro spokesperson Przemyslaw Jedrysik mentioned in an announcement. “In response, now we have taken measures to make sure system integrity, improve safety monitoring and proactively notify clients.
Jedrysik confirmed that “the vast majority of the data contained on the server was not of a delicate nature,” however declined to say what varieties of information had been accessed.
Different alleged victims that TechCrunch has spoken with have disputed Clop’s claims, and say they weren’t compromised as a part of the gang’s newest mass-hack marketing campaign.
Emily Spencer, a spokesperson for U.S. automotive rental large Hertz, mentioned in an announcement that the corporate is “conscious” of Clop’s claims, however mentioned there may be “no proof that Hertz information or Hertz techniques have been impacted right now.”
“Out of an abundance of warning, we’re persevering with to actively monitor this matter with the assist of our third-party cybersecurity companion,” Spencer added.
Christine Panayotou, a spokesperson for Linfox, an Australian logistics agency that Clop listed on its leak web site, additionally disputed the gang’s claims, saying the corporate doesn’t use Cleo software program and has “not skilled a cyber incident involving its personal techniques.”
When requested if Linfox had information accessed attributable to a cyber incident involving a third-party, Panayotou didn’t reply.
Spokespeople for Arrow Electronics and Western Alliance Financial institution additionally informed TechCrunch that they’ve discovered no proof that their techniques had been compromised.
Clop additionally listed the not too long ago breached software program provide chain large Blue Yonder. The corporate, which confirmed a November ransomware assault, has not up to date its cybersecurity incident web page since December 12.
Blue Yonder spokesperson Marina Renneke reiterated an earlier assertion to TechCrunch, noting that the corporate “makes use of Cleo to assist and handle sure file transfers” and that it was investigating any potential entry, however added that the corporate has “no motive to consider the Cleo vulnerability is related to the cybersecurity incident we skilled in November.” The corporate didn’t present proof for the declare.
When requested by TechCrunch, not one of the firms that responded would say if they’d the technical means, equivalent to logs, to detect entry or exfiltration of their information.
TechCrunch has not but obtained responses from the opposite organizations listed on Clop’s leak web site. Clop claims it should add extra sufferer organizations to its darkish net leak web site on January 21.
It’s not but identified what number of firms have been focused, and Cleo — which itself has been listed as a sufferer of Clop — didn’t reply to TechCrunch’s questions.
