SANJAY SAHAY
Just as getting hacked is the new normal, a ransomware gang taking responsibility for a ransomware attack has nearly become normal. They are convinced that the long arm of the law will not reach them and if it does in most exceptional circumstances, they will find ways and means to resurface successfully. Ransomware has become a specialised operation with broken down job structures and executed more as a service, which might be following the norms of the regular IT industry. The news of ransomware attacks is more like a string of news, the actors, modus of attack, camouflage and booty transacted certainly remain different in each case.
Cleo has recently suffered a ransomware attack. Before moving further, what does Cleo do? Cleo is known for its managed file transfer platforms Cleo Harmony, VLTrader, and LexiCom. These platforms are used by companies to securely exchange files between business partners and customers. As has become the tradition of the ransomware gangs post an attack, in this case too, the responsible gang has confirmed that they are behind the Cleo data-theft attacks. It was done by utilizing zero-day exploits to breach corporate networks to steal data. The gang which has taken responsibility for this attack is the Clop ransomware gang.
Also Read: Jharkhand News: Mob torches rapist’s house in Dhanbad
The story dates back to October this year when the company fixed a vulnerability (CVE-2024-50623). This allowed unrestricted file uploads and downloads, leading to remote code execution. Logically, it should have ended here, but that did not happen. Cybersecurity firm Huntress discovered sometime back, to their surprise that the original patch was incomplete. As a result of this, the threat actors were actively exploiting a bypass of this patch, now tracked as CVE-2024-55956, to conduct data theft attacks. The threat actors were uploading JAVA backdoor while exploiting this vulnerability to fulfil their nefarious designs.
Only last Friday, CISA confirmed the exploitation of the said vulnerability on the Cleo file transfer software. Quite strangely, Cleo has never disclosed “that the original flaw they attempted to fix in October was exploited.” On a superficial understanding of these attacks, there was a strong perception that these attacks were conducted by a new ransomware gang named Termite. When more closely tracked it has come to the Clop ransomware gang’s doorsteps. The ransomware gang has confirmed their involvement in this attack to BleepingComputer.
(The writer is a former Karnataka cadre IPS officer, Founder & Director, TechConPro, Cyber Security Expert, Professional Public Speaker & Writer. Hailing from Palamu, Jharkhand, he lives in Bangalore.)