On October 30, Cleo published a security advisory relating to an unrestricted file upload vulnerability, referenced CVE-2024-50623. It affects Cleo Harmony, Cleo VLTrader and Cleo LexiCom up to version 5.8.0.23 which constitute Cleo’s Managed File Transfer (MFT) products. The publisher, which has just released version 5.8.0.24, warned that exploitation of the flaw could lead to remote code execution and invited its customers to upgrade to the fixed version.
Initially, the Termite brand was suspected of exploiting this vulnerability. But as several experts feared, it seems rather to be Cl0p.
The operators of the group, also followed under the reference TA505, published a message on their window announcing the deletion of the data of all their previous victims, “due to recent events (the Cleo attack)”, and promising to “only work with new companies.”
The Cl0p group has also confirmed to our colleagues of Bleeping Computer having led a campaign to exploit the CVE-2024-50623 vulnerability: “it was our project […] which was carried out successfully.
If the group was suspected, it was because the campaign bore its mark. In 2023, the Cl0p gang caused thousands of victims by exploiting a new vulnerability in Progress Software’s MoveIt Transfer product.
Previously, Cl0p had also exploited a vulnerability of type 0day in Fortra’s GoAnywhere MFT software, which led to massive fallout. Attackers also exploited a critical vulnerability in Citrix ShareFile, referenced CVE-2023-24489 last year, two months after Citrix disclosed the flaw and released a patch.
In 2023, Cl0p showed that it had developed unparalleled capabilities for industrializing its attacks against systems housing potentially sensitive data, affected by unprecedented vulnerabilities. The surprise lay above all in the fact that he did not benefit more from it. It could well have marked his big return to business.
