Investigating potential Clop ransomware attack linked to exploited vulnerabilities in Cleo software solutions by Blue Yonder.
In a recent cybersecurity incident, logistics software company Blue Yonder has fallen victim to a ransomware attack, allegedly linked to the Clop ransomware group and vulnerabilities in Cleo file-transfer software. The attack has disrupted operations at numerous Blue Yonder customers globally.
Researchers from Zscaler and Huntress have connected the attack to the Clop ransomware group, which has claimed responsibility for data breaches related to the Cleo malware. Mandiant researchers have identified the threat actor exploiting the Cleo CVEs as UNC5936, an entity with overlaps with FIN11, also known as Clop.
The attack is believed to be linked to exploited vulnerabilities in Cleo file-transfer software, specifically CVE-2024-50623. However, it appears that the patch issued by Cleo in October did not offer adequate protection against the threat actor UNC5936.
Malicious back doors, including Beacon and Goldtomb, had been deployed on exploited systems by the threat actor UNC5936. Clop has threatened to leak data from targeted companies starting this weekend if they fail to contact the company.
The attack affected companies such as Starbucks and U.K. supermarket chain Morrisons, and Huntress researchers were aware of companies in the consumer products, trucking, food, and shipping industries being targeted by the same threat actor.
Blue Yonder uses Cleo to manage certain file transfers, and the company took immediate steps to mitigate the threat once the zero-day was confirmed.
Security researchers have criticized Cleo for delays in releasing the patch for CVE-2024-50623 in December. To defend against such threats, security measures recommended include conducting periodic security assessments, enforcing multi-factor authentication, deploying behavioral detection solutions, training users to avoid downloading suspicious files or clicking untrusted links, regularly backing up data, and keeping antivirus signatures, OS, and third-party applications up to date.
In summary, while the direct technical details on CVE-2024-50623 and CVE-2024-55956 in relation to the Blue Yonder Cleo attack are not found in the provided material, the attack fits the pattern of ransomware exploiting network and software vulnerabilities combined with credential compromise. Following best security practices including vulnerability management, multi-factor authentication, backup, and user vigilance is essential to defend against such threats. The current status of the investigation into the ransomware attack by Blue Yonder is not specified in this paragraph.
- The ransomware attack on logistics software company Blue Yonder, allegedly linked to the Clop ransomware group, highlights the need for robust cybersecurity measures in the data-and-cloud-computing industry.
- Clop, the ransomware group responsible for the attack, has threatened to leak data from targeted companies if they fail to contact the company, demonstrate the vulnerabilities of financial institutions in the face of such threats.
- Researchers have criticized Cleo, the software company whose vulnerabilities were exploited in the attack, for delays in releasing the patch for CVE-2024-50623, underscoring the importance of prompt vulnerability management in technology.
- To safeguard against future ransomware attacks, it's recommended to incorporate security measures such as periodic security assessments, multi-factor authentication, behavioral detection solutions, user training, regular data backup, and keeping antivirus signatures, OS, and third-party applications up to date.
