Protecting Against the Exploited CVEs in the Cleo Data Theft Attacks

Description

The Clop ransomware group has exploited critical vulnerabilities in Cleo's managed file transfer software, specifically CVE-2024-50623 and CVE-2024-55956. These vulnerabilities allow unrestricted file upload/download and execution of arbitrary commands. Imperva has observed over 1 million exploitation attempts targeting nearly 10,000 sites across 60 countries, with a focus on the United States and Australia. Financial Services and Government sectors are primary targets. The attack involves a first-stage dropper file that invokes a PowerShell script to retrieve JAR files for persistence. Clop's tactics include targeting backup systems, encrypting files, and exfiltrating data for extortion. The group has previously exploited vulnerabilities in other file transfer programs, potentially earning over $75 million in ransoms.