Clop ransomware leverages Cleo zero-day flaw (CVE-2024-50623), threatening to expose 66 global victims. Explore its implications, mitigation steps, and more.

Continue reading
The notorious Clop ransomware gang has struck again, leveraging a critical zero-day vulnerability (CVE-2024-50623) in Cleo's software products to execute data theft on a massive scale. The group has threatened to expose the identities of 66 victim companies within 48 hours unless ransom demands are met.
This marks another high-profile operation by Clop, which has exploited vulnerabilities in platforms like MOVEit Transfer, SolarWinds Serv-U, and Accellion FTA in the past.
In its latest announcement on its dark web leak portal, Clop has published partial names of companies it claims ignored their ransom demands. The cybercriminals are actively contacting victims through secure chat links and email, urging them to negotiate and avoid public exposure.
The Cleo data breach centers around a zero-day flaw in LexiCom, VLTrader, and Harmony software products. Tracked as CVE-2024-50623, the vulnerability allows unrestricted file uploads and downloads, enabling attackers to:
Cleo has released a patch in version 5.8.0.21, urging users to update immediately. However, researchers from Huntress warn that the patch can be bypassed, highlighting an urgent need for further scrutiny.
The group’s strategy underscores its increasing boldness and sophistication. By publishing partial company names on its leak site, Clop intensifies pressure on victims, leveraging:
While 66 companies have been publicly named, cybersecurity expert Yutaka Sejiyama warns the actual list may be significantly larger. With Cleo software used by over 4,000 organizations worldwide, the full scope of this breach remains uncertain.
Clop’s modus operandi revolves around exploiting zero-day vulnerabilities to infiltrate high-value targets. Previous operations include:
This calculated approach solidifies Clop’s position as one of the most formidable ransomware gangs globally.
Organizations using Cleo products must act swiftly to mitigate risks. Here’s what you can do:
Update to Cleo Harmony, VLTrader, and LexiCom version 5.8.0.21.
Verify patch integrity to ensure no bypass vulnerabilities exist.
Identify unauthorized file transfers or abnormal system activity.
Leverage intrusion detection tools to isolate suspicious behavior.
Establish an incident response team to address potential breaches.
Create data backups to minimize impact during ransomware attacks.
Engage cybersecurity experts to perform vulnerability assessments.
Notify stakeholders and legal teams to prepare for potential exposure.
This attack once again highlights the systemic vulnerabilities in widely-used software. It underscores the need for:

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation