- As of press time, Cleo’s Lexicom, VLTransfer and Harmony contain a bug disclosed in October 2024.
- Threat actors first exploited it in December 2024.
- The Clop ransomware group has claimed 59 victims on its leak site, although some dispute any intrusion.
Clop, the Russian state-linked ransomware group, claimed to have hacked 59 companies after exploiting a known bug in a number of file transfer applications developed by software company Cleo.
The flaw, CVE-2024-50623, affects Cleo’s LexiCom, VLTransfer and Harmony software, inadvertently allows remote code execution and was first disclosed on October 30, 2024. Clop later published the list of victims on its dark website, although many deny that a breach took place.
Clop claims to have issued intrusion notices to its victims, including Cleo herself, on its own website, but also that the affected companies refuse to comply with the ransom demands.
Impact of the Cleo RCE bug
Przemyslaw Jedrysik, a spokesperson for German manufacturer Covestro, was one of the few willing to reveal the extent of the intrusion to TechCrunch.
It revealed Clop’s unauthorized access to a US logistics server, but has since “taken steps to ensure system integrity, improve security monitoring and proactively inform customers.” He also claimed that the information on this server was not sensitive in nature.
Spokespersons for several companies, including car rental company Hertz and Australian logistics company Linfox, however, explicitly denied any intrusion in statements to TechCrunch.
Clop was also listed as a victim of software supply chain company Blue Yonder, although at press time it had not released any updates on cybersecurity incidents since December 12 2024. However, a spokesperson said in a statement to TechCrunch that Blue Yonder uses Cleo software and is investigating potential unauthorized access to its servers.
The group says it will disclose more casualties in this attack on January 21, 2025, although the true scale of the attack remains unclear.
