The Clop ransomware gang has named dozens of victims of companies it claims to have hacked in recent weeks after exploiting a vulnerability in several popular enterprise file transfer products developed by US software company Cleo.
In a post on its dark web leak site, seen by TechCrunch, the Russia-linked Clop gang lists 59 organizations it claims to have hacked by exploiting a high-risk flaw in Cleo software tools.
The flaw affects Cleo’s LexiCom, VLTransfer, and Harmony products. Cleo first disclosed the vulnerability in a security advisory issued in October 2024 by Security researchers noted that hackers were exploiting the vulnerability en masse months after December.
In its post, Club claimed that it had notified the organizations that had been breached, but that the victim organizations had not negotiated with the hackers. Clop threatens to release the data he allegedly stole on January 18 unless the ransom he demanded is paid.
Enterprise file transfer tools are a popular target among ransomware hackers – and Clop in particular – due to the sensitive data often stored in these systems. In recent years, a ransomware gang has previously exploited vulnerabilities in Progress’s MOVEit transfer productand later took credit for it Mass exploitation of a vulnerability in Fortra’s GoAnywhere Managed file transfer software.
Following the recent hacking spree, at least one company has confirmed a breach linked to the Clop attacks on Cleo systems.
German manufacturing giant Covestro told TechCrunch that it had been contacted by the Clop, and has since confirmed that the gang accessed certain data stores on its systems.
“We have confirmed that there has been unauthorized access to a US logistics server, which is used to exchange shipping information with our transportation providers,” Covestro spokesman Przemyslaw Jedrycek said in a statement. “In response, we have taken measures to ensure system integrity, enhance security monitoring, and proactively notify customers.
Gedrecyk confirmed that “the majority of the information on the server was not of a sensitive nature,” but declined to specify the types of data accessed.
Other alleged victims TechCrunch spoke to disputed Clop’s claims, and said they were not hacked as part of the gang’s recent mass hacking campaign.
Emily Spencer, a spokeswoman for US car rental giant Hertz, said in a statement that the company was “aware” of Klopp’s claims, but said “there is no evidence that Hertz data or Hertz systems have been affected at this time.”
“Out of an abundance of caution, we continue to actively monitor this matter with the support of our third-party cybersecurity partner,” Spencer added.
Christine Panayiotou, a spokeswoman for Linfox, an Australian logistics company that Clop listed on its leak site, also disputed the gang’s claims, saying the company does not use Cleo software and “has not experienced a cyber incident involving its own systems.”
When asked whether Linfox data was accessed due to a cyber incident involving a third party, Panayiotou did not respond.
Spokespeople for Arrow Electronics and Western Alliance Bank also told TechCrunch that they found no evidence that their systems had been compromised.
Klopp also included Software supply chain giant Blue Yonder was recently hacked. The company, which confirmed the ransomware attack in November, did so Its cybersecurity incidents page has not been updated Since December 12th.
Blue Yonder spokeswoman Marina Reineke reiterated a previous statement to TechCrunch, noting that the company “uses Cleo to support and manage certain file transfers” and that it was investigating any potential access, but added that the company “has no reason to believe there is a vulnerability in Cleo.” . “Related to the cybersecurity incident we witnessed in November.” The company did not provide evidence for the claim.
When asked by TechCrunch, none of the companies that responded said whether they had the technical means, such as logs, to detect that their data had been accessed or leaked.
TechCrunch has not yet received responses from other organizations listed on Clop’s leak site. Clop claims it will add more victim organizations to its dark web leak site on January 21.
It’s not yet known how many companies were targeted, and Cleo — which was listed as a victim of Clop — did not respond to TechCrunch’s questions.
https://techcrunch.com/wp-content/uploads/2025/01/files-Getty.jpg?resize=1200,797
Source link