Cleo File Transfer Attacks Linked to Clop Ransomware Group

Mandiant researchers have linked the recent exploitation of two Cleo file transfer flaws to a threat actor that has overlaps with the prolific Clop cybercrime group.

On Wednesday, Mandiant CTO Charles Carmakal said in a post that researchers have linked the slew of attacks to UNC5936, a threat cluster that has overlaps with Clop (also known as FIN11). Clop, a ransomware group that’s been behind several high-profile vulnerability exploitation campaigns, has also claimed responsibility for the attacks.

Key Details: 

• Previously, Clop threat actors exploited several other flaws in managed file transfer tools, and then carried out attacks where they stole data and extorted victims. For instance, the group is behind the MOVEit Transfer data theft attacks in 2023 and the Fortra GoAnywhere MFT attacks in 2022

• Carmakal said that researchers have not yet observed mass data theft, as was seen in the threat actor’s previous campaigns

• Carmakal referenced the deployment of the Beacon and GoldTomb backdoors on exploited systems, and said “it’s possible that the group may leverage these backdoors to further compromise the victim environment and deploy ransomware, however, we have not yet observed this in our cases to date”

The Background: Details of exploitation of one of the flaws - a remote code execution vulnerability in several Cleo file transfer tools - first emerged last week. While enterprise software firm Cleo initially issued a patch for the initial flaw (CVE-2024-50623) disclosed in October, researchers found that threat actors were still exploiting fully patched systems, so last week Cleo issued a new updated version (version 5.8.0.24), as well as a new CVE for the issue (CVE-2024-55956). Huntress researchers (who first published an in-depth analysis of the flaw and exploitation efforts here) initially found the earliest evidence of exploitation on Dec. 3, but Carmakal said that Mandiant researchers observed exploitation dating back to October 2024, and said CVE-2024-55956 was initially exploited in the wild as a zero day.

Why It Matters: Because the flaw was exploited as a zero-day bug, organizations should examine their Cleo Harmony, VLTrader or LexiCom systems to see if they have been exploited, even if they have updated their systems already. Carmakal said that since exploit code for CVE-2024-50623 is now publicly available, researchers also expect other threat actors to launch attacks as well.  

“Cleo strongly advises all customers to immediately upgrade instances of Harmony, VLTrader, and LexiCom to the latest released patch (version 5.8.0.24) to address this vulnerability,” according to Cleo’s security advisory issued last week.

Both Cleo flaws have been added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities catalog this week, and CISA marked them as “known to be used in ransomware campaigns.”