In Brief

In late 2024, the CL0P ransomware gang launched a devastating cyberattack exploiting zero-day vulnerabilities in Cleo's managed file transfer (MFT) software suite. While the number of victims of this attack is generally reported to be in the region of 60 by other researchers, analysts at WhiteBlueOcean recorded over 200 victims posted to CL0P's leak site in the month of December 2024, the majority of which were infiltrated as part of this one large campaign. This breach, now considered one of the most impactful since the MOVEit and GoAnywhere incidents, has had far-reaching consequences for companies around the world and yet again sets a precedent for the scale of cybercrime that ought to be anticipated by the public and private sectors.

The Breach: What Happened?

The attack on Cleo was a technically sophisticated supply-chain attack that exploited a zero-day in Cleo's managed file transfer (MFT) software suite, which includes Harmony, VLTrader, and LexiCom. This vulnerability, later identified as CVE-2024-50623, allowed attackers to execute code remotely on affected systems without needing to authenticate. In essence, it gave them the keys to the front door—no passwords, no credentials, just direct access to files belonging to hundreds of Cleo customers.

The flaw lay in how Cleo's software previously handled file uploads. By uploading a malicious payload to Cleo's servers via a vulnerable endpoint, CL0P was able to bypass security controls and execute arbitrary commands on the server. Once inside, they moved quickly to establish persistence, installing backdoors and probing internal systems for sensitive data. This method of attack was not new for CL0P; it echoed their previous campaigns against other file transfer platforms like MOVEit and GoAnywhere, where they similarly exploited zero-day vulnerabilities to gain access to critical business data.

The timeline of the breach reveals a troubling delay in effective mitigation. Cleo initially released a patch in October 2024 after detecting suspicious activity, but this "fix" failed to address the underlying vulnerability and did not impede CL0P. Over the following weeks, CL0P quietly escalated their campaign, targeting dozens of organizations across sectors such as finance, education, retail, and logistics. It wasn't until January 2025 that Cleo rolled out an effective security patch and began to actively notify customers of the urgent need to update their software.

Despite Cleo's assurances that no widespread data exfiltration had occurred, investigations told a different story. Security firm Mandiant, brought in to assist with incident response, confirmed that attackers had established persistent access to company file transfer servers and had already accessed sensitive configuration files and credentials. While there was no immediate evidence of large-scale data theft, the presence of data staging activity suggested that CL0P had at least prepared for exfiltration, if not already executed it in some cases.

CL0P's strategy was as much psychological as it was technical. In December, they began listing victims on their leak site, publishing partial data samples to apply immediate pressure, and setting public deadlines for ransom negotiations. Some unlucky companies had their entire data published early on in order to make an example of them. WhiteBlueOcean observed as more and more of the victims' data were published, with the occasional one or two disappearing from the website - likely indicative of a successful ransom extortion. CL0P's use of secure communication portals and phased data releases echoed a degree of experience and maturity that has become increasingly common among top-tier ransomware groups. This wasn’t just a smash-and-grab - it was a calculated campaign designed to maximize leverage and extract payment through fear, urgency, and reputational risk.

Wider Implications

With this attack, CL0P clearly displayed their experiencing in conducting large-scale ransomware campaigns off the back of one or two zero-day vulnerabilities - it is almost textbook CL0P, and yet, a large number of victims did not take appropriate measures in response. We might be able to put part of the blame on the lack of focus on any particular sector, whereas companies in the mining industry for example will understand that they are disproportionately targeted by cyber-attacks and may establish better mitigations as a result. The Cleo attack affected companies in financial services, entertainment, gambling and many more industries, as analysed by Imperva - though it is worth noting that companies belonging to sectors like logistics may have been disproportionately targeted by CL0P in this campaign.

Figure 1: Victim profiling undertaken by Imperva.

But the more pertinent issue here is the risk that a company takes on when working with a third-party to manage their data. As seen in other campaigns such as MOVEit or Snowflake, these service providers, while offering products that are far more economical than proprietary solutions, have become extremely valuable targets for cyber criminals and zero-days that affect their services are in very high demand on the dark web. That's because one good vulnerability can provide a ransomware group access to the data of hundreds or thousands of businesses. Although data services is becoming a larger industry by the day, further reliance on third party vendors could lead to even more severe breaches in the future.

It is also interesting how under-reported this incident is. The majority of online cybersecurity news journals have published that the breach affected around 60-70 businesses, far below WhiteBlueOcean's approximation. In addition, many businesses have released little-to-no information to their customers or userbases about the breach, despite many of them having had their full data published by CL0P already. The lack of transparency by many corporate victims of the attack about the risks to consumers is concerning, as these data breaches can often lead to incidents of identity theft and financial fraud for individuals whose data is compromised.

While we have refrained from naming any victims of this attack in particular, in public domain are court documents for a class action lawsuit that was filed by an ex-employee of Sam's West, Inc, better known as Sam's Club, a retail giant in the United States. The lawsuit aimed to procure compensation for the victims of the attack against their former employer, to the tune of $5M dollars aggregate, which would defray from costs incurred from credit freezes and monitoring, credit reports, and other costs related to identity protection. However, the lawsuit was later voluntarily dismissed by the plaintiff.

What remains then is that a huge number of businesses suffered data breaches that affected hundreds of thousands of individuals, across the globe but particularly in North America, yet there is little reporting, little transparency, and no compensation for the victims.

Looking Ahead

This kind of attack is difficult to prevent. Zero-day vulnerabilities are so called because the cybersecurity industry at large has had literally no time in order to triage the threat. This means that where a zero-day exists, it may not be easy to remove from an infected host if it can even be detected in the first place. That does not mean, however, that there are not precautions that can be taken in order to reduce the damage done.

In the case of Sam's Club, the dismissed lawsuit against them describes that the data breached included full names, dates of birth, contact information, credit card information, driver’s license information, and Social Security numbers (SSNs) - all of which were unencrypted both on the business' own systems and while transmitted to Cleo and/or other third parties. While we cannot comment on whether or not this was indeed the case, any business failing to properly safeguard their customer's sensitive data is engaging in negligent behaviour that risks the security of their entire customer base. Another publication details, for example, that some companies were slow to roll out patches issued by Cleo, which would have left the user data they stored vulnerable for a longer duration than necessary.

Furthermore, examining the court documents reveals that one of the resolutions is to prohibit the defendant from storing customer information on servers belonging to cloud service providers. While this would be a suboptimal outcome for the majority of businesses, we may see more widespread backlash against this solution to data management if data continues to be mishandled. So, for the sake of people and businesses everywhere, let's all be much more careful about what data we store, how we store it, and where we send it to.

Sources

https://www.whiteblueocean.com/glossary/#accordion-glossary-z 
https://nvd.nist.gov/vuln/detail/CVE-2024-50623 
https://www.imperva.com/blog/imperva-protects-against-the-exploited-cves-in-the-cleo-data-theft-attacks/ 
https://www.cybersecuritydive.com/news/mandiant-cleo-exploits-october/736042/ 
https://www.zerofox.com/intelligence/flash-report-cl0p-publishes-data-of-cleo-compromise-victims/ 
https://www.bleepingcomputer.com/news/security/clop-ransomware-is-now-extorting-66-cleo-data-theft-victims/ 
https://securitybuzz.com/cybersecurity-news/when-the-weakest-link-breaks-the-cleo-vulnerability-behind-the-hertz-data-breach/ 
https://s3.documentcloud.org/documents/25908188/us-dis-ilnd-3-25cv50186-d169199601e306-complaint-filed-by-shoshannah-pass-jury-demand-fil.pdf 
https://storage.courtlistener.com/recap/gov.uscourts.ilnd.476856/gov.uscourts.ilnd.476856.7.0.pdf 
https://cybersecuritynews.com/cl0p-ransomware-group-cleo/ 

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.