Sanjay Sahay Ex IPS (Former ADGP, Karnataka)
Founder & Director, TechConPro Pvt Ltd, Ex. IPS (former ADGP, Karnataka), Pro Public Speaker, Cyber Security Guru, Thought Leader & Writer
Same as getting hacked is the new normal, a ransomware gang taking responsibility for a ransomware attack has nearly become normal. They are convinced that the long arm of the law will not reach them and if it does in most exceptional circumstances, they will find ways and means to successfully resurface. Ransomware has become a specialised operation with broken down job structures and executed more as a service, might be following the norms of the regular IT industry. The news of ransomware attacks are more as a string of news, the actors, modus of attack, camouflage and booty transacted certainly remain different in each case.
Cleo has recently suffered a ransomware attack. Before moving further, what does Cleo do? Cleo is known for its managed file transfer platforms Cleo Harmony, VLTrader, and LexiCom. These platforms are used by companies to securely exchange files between the business partners and customers. As has become the tradition of the ransomware gangs post an attack, in this case too, the responsible gang has confirmed that they are behind the Cleo data-theft attacks. It was done by utilizing zero-day exploits to breach corporate networks to steal data. The gang which has taken the responsible for this attack is the Clop ransomware gang.
The story dates back to October this year when the company fixed a vulnerability (CVE-2024-50623). This allowed unrestricted file uploads and downloads, leading remote code execution. Logically, it should have ended here, but that did not happen. Cybersecurity firm Huntress discovered sometime back, to their surprise that the original patch was incomplete. As a result of this, the threat actors were actively exploiting a bypass of this patch, now tracked as CVE-2024-55956, to conduct data theft attacks. The threat actors were uploading JAVA backdoor while exploiting this vulnerability to fulfil their nefarious designs.
Only last Friday, CISA has confirmed the exploiting of the said vulnerability on the Cleo file transfer softwares. Quite strangely, Cleo has never disclosed “that the original flaw they attempted to fix in October was exploited.” On a superficial understanding of these attacks, there was a strong perception that these attacks were conducted by a new ransomware gang named Termite. When more closely tracked it has come to Clop ransomware gang’s doorsteps. The ransomware gang has confirmed their involvement in this attack to BleepingComputer.