The CLoP ransomware group has claimed responsibility for attacks which exploited a critical vulnerability in the Cleo managed file transfer platforms.

CLoP, which was behind the massive 2023 MOVEit Transfer supply chain attack that affected nearly 2,800 organizations, told BleepingComputer that it was behind attacks on the zero-day Cleo vulnerability tracked as CVE-2024-50623.

In a statement published by BleepingComputer, CLoP said Cleo was “our project…which was successfully completed.”

It said if any of the data is related to government services, institutions, medicine, “then we will immediately delete this data without hesitation.”

The group also continued its attacks after CVE-2024-50623 was patched in October using a second flaw tracked as CVE-2024-55956.

While some cybersecurity researchers linked the Cleo attacks to the Termite ransomware group, which claimed a supply chain attack on Blue Yonder earlier this year, CLoP has said it is responsible for the Cleo campaign both in statements to BleepingComputer and on its leak site. It is unclear if there is any connection between Termite and CLoP.

CLoP’s leak site now features a message stating that all data from previous victim companies will be deleted from its servers and that the gang will now only focus on Cleo victims. 

CLoP told BleepingComputer that it was not sure of the exact number of victims in its Cleo campaign but that there were “quite a lot.”

The Clop ransomware group, which has been active since 2019, is known for its targeted exploitation of file transfer services, including Progress Software MOVEit and Fortra GoAnywhere in 2023 and Accellion in 2020. 

Stephen Fewer, principal security researcher at Rapid7 told SC US that the new Cleo vulnerability (CVE-2024-55956) is an unauthenticated file write vulnerability, not a patch bypass of the older vulnerability (CVE-2024-50623), as the root cause is different.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.