Key Findings

• Between January 17 and 18, 2025, the ransomware group Cl0p published data allegedly belonging to three organizations that were targeted during the Q4 2024 compromise of Cleo secure managed file transfer (MFT) solutions.
• Previously, in December 2024, Cl0p added the obfuscated names of 66 alleged victim organizations to their leak site. The names of these organizations were unveiled on January 14 and 15, 2025, along with a blog post threatening to publish their data on January 18, 2025.
• There is a very likely chance that Cl0p will begin publishing data stolen from other named organizations in the coming weeks, beginning with those that Cl0p perceives to be impeding negotiations or unlikely intending to meet demands.
• Also between January 17 and 18, 2025, Cl0p posted a seemingly-unrelated statement to their victim leaksite, alluding to the collective’s “downloading” of data belonging to organizations that use the MOVEit MFT solution, via a vulnerability. The meaning and intent behind Cl0p’s message to MOVEit customers is unclear.

Details

Between January 17 and 18, 2025, the ransomware group Cl0p added four new leak pages named after different organizations to their dark web victim leak site, three of which contain significant quantities of data available for download. These organizations are alleged victims of the collective’s Q4 2024 Cleo secure MFT solutions compromise. Two other organization pages were also added, although whether these are victims of the same compromise is unclear as of the writing of this report.

• In October 2024 Cleo divulged a vulnerability tracked as CVE-2024-50623, that permitted unrestricted file uploads and downloads-leading to remote code execution (RCE) targeting the company’s LexiCom, VLTrader, and Harmony secure file transfer products. Cleo did not acknowledge its exploitation “in the wild” but released an advisory to its online Solutions Center urging users to upgrade to version 5.8.0.21.¹
• In early December 2024 it was discovered that endpoints updated with the latest security patches were still being exploited—this time via a vulnerability tracked as CVE-2024-55956. A new security patch was released with an advisory from Cleo urging users to update the software to version 5.8.0.24, which reportedly mitigates the threat posed by CVE-2024-55956.²
• At the time of writing, neither CVE-2024-50623 nor CVE-2024-55956 has been assigned a CVSS 4.0 Risk Severity Score.^3,4

In December 2024, Cl0p added the obfuscated names of 66 alleged victim organizations to their leak site, alongside the threat of revealing their identities on December 26 and 27, 2024, should they not comply with demands. The names of these organizations were instead unveiled on January 14 and 15, 2025, along with a blog post threatening to publish their data on January 18, 2025. As of the writing of this report, 59 named organizations that are alleged victims of the Cleo compromise have not had any of their associated data published. 

• Cl0p’s alleged victims of the 2024 Cleo compromise are disproportionately associated with the supply chain and logistics sectors, accounting for approximately 20 percent of the listed organizations. This is in comparison to approximately 2.8 percent observed across the ransomware threat landscape.
• North America was also disproportionately targeted in comparison to other regions-accounting for approximately 80 percent of Cl0p’s recent victims, in comparison to approximately 58 percent across the ransomware threat landscape. This is likely influenced both by the distribution of Cleo MFT users, as well as Cl0p’s long-term preference to target North America-based organizations.

There is a very likely chance that Cl0p will begin publishing data stolen from the remaining 59 organizations in the coming weeks, beginning with those that Cl0p perceives to be impeding negotiations or unlikely intending to meet extortion demands. Another post by Cl0p indicated that the names of more victim organizations would be added to the blog on January 21, 2025. There is a roughly even chance that these names will be obfuscated to begin with, indicative of Cl0p opting to stagger their extortion campaign in a manner consistent with a limited resource availability.

For those that meet extortion demands, Cl0p will very likely remove their name from the victim leak site, and will likely delete any stolen data. Of the initial 66 organizations posted in December 2024, four have since been removed with no data published.

Also between January 17 and 18, 2025, Cl0p posted a seemingly-unrelated statement to the victim leaksite, alluding to the collective’s “downloading” of data belonging to organizations that use the MOVEit MFT solution, via a vulnerability. The statement further specifies that this data is “safe”.

• In Q2 2023 Cl0p leveraged a critical zero-day vulnerability tracked as CVE-2023-34362, exploiting a MOVEit web application. Hundreds of organizations around the globe were subsequently targeted, resulting in one of the most high-profile digital extortion campaigns ever observed.

The meaning and intent behind Cl0p’s message to MOVEit customers is unclear. The most likely scenario is that the referenced exploit is CVE-2023-34362, with the post being addressed to users of MOVEit that are still being exploited-most likely due to not having implemented the most recent security patches. Cl0p could also be referencing a newly-found vulnerability affecting MOVEit software, enabling renewed targeting of customers. This is very unlikely however, due to the decision to publish this information rather than covertly conduct data exfiltration-which would enable a monetized extortion campaign and is more in line with Cl0p’s tactics, techniques, and procedures (TTPs)

• On December 23, 2024, actor “Nam3l3ss” disclosed a large number of data sets in the hacking forum BreachForums, which were allegedly stolen from MOVEit users compromised during the 2023 extortion campaign. While some of these organizations had previously been listed on Cl0p’s victim leak site, others had not-leading to a likely chance that they were subject to subsequent targeting.

Typical Timescales for Clop’s Extortion*

*Medium-confidence assessment based on observed procedures and timeframes

Recommendations

• Ensure that the most recent security patches are implemented. Seek manufacturer guidance from official websites and support pages:
  • hXXps://support.cleo[.]com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory-CVE-2024-50623
  • hXXps://support.cleo[.]com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Update-CVE-2024-55956
  • hXXps://community.progress[.]com/s/products-list
• Deploy a holistic patch management process, and ensure all IT assets are updated with the latest software updates as quickly as possible.
• Adopt a Zero-Trust cybersecurity posture based upon a principle of least privilege, and implement network segmentation to separate resources by sensitivity and/or function.
• Implement phishing-resistant multi factor authentication (MFA), secure and complex password policies, and ensure the use of unique and non-repeated credentials.
• Ensure critical, proprietary, or sensitive data is always backed up to secure, off-site, or cloud-based servers at least once per year—and ideally more frequently.
• Configure email servers to block emails with malicious indicators, and deploy authentication protocols to prevent spoofed emails.
• Proactively monitor for compromised accounts and credentials being brokered in deep and dark web forums.
• Leverage cyber threat intelligence to inform the detection of relevant cyber threats and associated TTPs.

1. hXXps://support.cleo[.]com/hc/en-us/signinreturn_to=https%3A%2F%2Fsupport.cleo.com%2Fhc%2Fen-us%2Farticles%2F27141200982423-Unrestricted-File-Upload-and-Download-Vulnerability-Mitigation-CVE-2024-50623

2. hXXps://support.cleo[.]com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Update-CVE-2024-55956

3. hXXps://nvd.nist[.]gov/vuln/detail/CVE-2024-55956

4. hXXps://nvd.nist[.]gov/vuln/detail/CVE-2024-50623

Appendix A: Traffic Light Protocol for Information Dissemination

Appendix B: ZeroFox Intelligence Probability Scale

All ZeroFox intelligence products leverage probabilistic assessment language in analytic judgments. Qualitative statements used in these judgments refer to associated probability ranges, which state the likelihood of occurrence of an event or development. Ranges are used to avoid a false impression of accuracy. This scale is a standard that aligns with how readers should interpret such terms.

Tags: Threat Intelligence