Spotlight
Clop's Cleo Campaign, A Case Study in Exploitation
Just like in previous years, Clop returned with a campaign built around a newly discovered vulnerability. After the noise surrounding MOVEit, the group had gone relatively quiet, releasing victim posts sporadically. But in December 2024, they reemerged by exploiting critical flaws in Cleo—unleashing what could have been another major supply chain crisis.
The attack itself was large and sophisticated. But limited media coverage, organizations’ increased resistance to paying ransoms, and the fact that Clop’s once-effective tactics have begun to lose their sting all contributed to something unusual: a campaign that was successful in execution, but surprisingly subdued in impact.
CVEs Found in Cleo
So, what exactly happened with Cleo?
Cleo is a widely used Managed File Transfer (MFT) platform relied upon by thousands of companies worldwide for secure data transfer and system integration. However, in late 2024, two critical vulnerabilities were identified in Cleo’s core products, posing serious threats to overall system security.
- CVE-2024-50623 contains a flaw that permits unrestricted file uploads and downloads. This flaw allows attackers to upload malicious files that result in remote code execution. In this scenario, attackers can bypass standard authentication checks to execute arbitrary commands on the targeted system, thereby increasing the risk of complete system compromise.
- CVE-2024-55956 targets the default configuration of the Autorun directory. Attackers who exploit this vulnerability are able to execute Bash or PowerShell commands on the host system by leveraging the system’s behavior of automatically processing files placed in a predetermined directory.
Both vulnerabilities present significant risks, which makes it critically important for affected organizations to promptly implement the necessary security updates.
Clop’s Cleo Attack Chronology: From Holiday Excuses to Chaos
By the end of February, the total number of victims had climbed to nearly 400.
Industries Impacted by Clop’s Cleo Campaign
Cleo’s MFT solution is heavily utilized across several key industries for secure data integration and transfer. Unsurprisingly, the sectors most reliant on such infrastructure were also the ones most impacted by Clop’s exploitation of Cleo’s vulnerabilities.
Clop’s Cleo Campaign Victims by Industry
Top 3 Industries Impacted by Clop’s Cleo Campaign
1. Manufacturing
Victims
Manufacturing stands out as the most affected sector, accounting for more than a quarter of the victims. This aligns with Cleo’s widespread usage in production workflows.
2. Supply Chain-Related Sectors
Wholesale Trade (victims)
Transportation & Warehousing (victims)
Two sectors are deeply integrated with manufacturing operations and rely heavily on Cleo for logistics, scheduling, and real-time data exchange, making them highly vulnerable and impactful targets.
3. Professional Services & Information Technology
Victims
These industries often serve as integrators, consultants, or technical service providers for Cleo deployments. Targeting them likely provided Clop with access to secondary targets or amplified the reach of the breach.
In summary, Clop targeted not only the technical vulnerability in its Cleo campaign, but also industries at the core of the supply chain. The goal was not just data theft, but to create operational chaos. Maybe they though this would make everything more impactful. But they failed.
Why?
Clop’s Strategy and Tactics: Stir Curiosity, Buy Time
A campaign large in scope—but quiet in impact.
Clop disclosed nearly 400 victims. That’s a substantial number, yet the public response was barely a whisper.
Victims
The group kept postponing its publication dates. First, it was “within 48 hours,” then “on December 30,” and finally, a vague “after the holidays” excuse. These repeated delays made Clop resemble a child throwing a tantrum for attention—but this time, no one looked their way. The industry didn’t flinch, the media didn’t bite, and the reaction Clop seemed to expect… never came.
Their tone grew sharper. Their strategy lost direction. And eventually, they dumped the entire victim list in one go, bringing the campaign to a blunt, anticlimactic end.
Perhaps the most telling aspect: This campaign failed to match the impact of Clop’s highly successful 2023 attacks via mass exploitation of MOVEit vulnerabilities. Same group, similar tactics, another MFT product, hundreds of victims… but this time, the media was indifferent, the industry stayed quiet, and the public barely noticed.
Clop was a star during the MOVEit mass exploitation. During the Cleo campaign, their voice got lost in the noise.