In a recent wave of cyberattacks, the Cl0p ransomware group has demonstrated its ability to exploit vulnerabilities in widely used file transfer software, including Cleo Harmony, VLTrader, and LexiCom.
Leveraging the critical CVE-2024-50623 and CVE-2024-55956 vulnerabilities, the group executed remote code execution (RCE) attacks to infiltrate organizations’ networks globally.
These exploits allowed attackers to exfiltrate sensitive data before deploying ransomware, marking another chapter in Cl0p’s history of sophisticated cyber extortion campaigns.
The vulnerabilities enabled unrestricted file uploads and downloads, which were exploited to compromise over 60 organizations, as confirmed by Cl0p’s dark web leak site.
Despite the release of patches for the affected software, researchers have noted that some fixes may be bypassed, leaving many systems vulnerable.
With over 4,000 organizations relying on Cleo products worldwide, the scale of this attack underscores the critical need for robust patch management practices.
Stealthy Persistence
After gaining initial access often through zero-day vulnerabilities or phishing campaigns Cl0p operators employ advanced techniques to maintain a foothold within compromised networks while evading detection.
The group is known for its use of tools like PowerShell scripts and DLL side-loading to execute commands stealthily.
They also deploy web shells such as DEWMODE to interact with databases and facilitate data exfiltration.
According to the Cyfirma, Cl0p’s operations are characterized by meticulous planning and execution.
Once inside a network, the attackers conduct reconnaissance to identify valuable data, including financial records, intellectual property, and sensitive emails.
This stolen information is used as leverage in their “double extortion” scheme: victims are not only locked out of their encrypted files but also threatened with public exposure of their data if ransom demands are not met.
To further evade detection, Cl0p employs techniques like process injection, masquerading with invalid code signatures, and clearing Windows event logs.
These measures allow the group to remain undetected for extended periods, increasing their chances of successfully exfiltrating data and deploying ransomware across entire networks.
Global Impact
The recent attacks have disproportionately targeted organizations in the United States (72%), followed by Canada and Europe.
Industries such as manufacturing (37%), retail (26%), and transportation (14%) have been particularly affected.
This aligns with Cl0p’s strategy of targeting entities with high-value data and weaker cybersecurity defenses.
Experts recommend that organizations prioritize patching known vulnerabilities promptly and implement robust email filtering systems to block phishing attempts.
Security teams should also deploy Indicators of Compromise (IoCs) related to Cl0p’s activities into their monitoring systems and conduct regular risk assessments to identify potential weaknesses.
As ransomware groups like Cl0p continue to evolve their tactics, techniques, and procedures (TTPs), organizations must adopt a proactive approach to cybersecurity.
This includes investing in threat intelligence solutions, conducting employee training on phishing awareness, and establishing layered defenses to mitigate the risks posed by sophisticated threat actors like Cl0p.
