Blue Yonder said it is investigating a threat after Clop listed the supply chain management company among nearly 60 companies the ransomware group claims it hacked. The attacks were linked to exploited vulnerabilities in Cleo file-transfer software, according to researchers from Zscaler and Huntress.
A spokesperson for Blue Yonder on Friday confirmed the company uses Cleo to manage certain file transfers. Once the zero-day was confirmed, Blue Yonder said it immediately took steps to mitigate the threat.
“Like many Cleo Harmony customers across the globe, we are currently investigating any potential impact of this matter on our business and we continue to update our customers as we have additional information,” the spokesperson told Cybersecurity Dive via email.
Blue Yonder, a major provider of supply chain technology, disclosed a ransomware attack in November that impacted numerous customers across the globe.
The attack impacted firms ranging from Starbucks to U.K. supermarket chain Morrisons, and disrupted a range of logistics operations at those respective customers.
Clop, a financially motivated threat group, linked to massive exploitation of MOVEit file-transfer software, previously claimed credit for exploiting Cleo vulnerabilities in a December posting.
The threat is linked to vulnerabilities in Cleo Harmony, VLTrader and Lexicom. Cleo in October had warned of an unrestricted file upload and download vulnerability listed as CVE-2024-50623, but Huntress researchers found the patch for that flaw was not offering adequate protection.
A second vulnerability, listed as CVE-2024-55956, can allow an unauthenticated attacker to import and execute arbitrary bash or Powershell commands on a host system. That vulnerability was assigned a CVE in December, just days after a patch was issued.
Security researchers criticized the company in December for delays in releasing the patch.
Clop threatened to leak data from these companies starting this weekend if they fail to contact the company.
Researchers from Zscaler said the exploitation of file-transfer services is very familiar territory for Clop.
“Clop ransomware gang has been known to use this vector of exploiting zero-day vulnerabilities in file transfer applications resulting in remote code execution, unauthorized access leading to mass data exfiltration,” Deepen Desai, CSO at Zscaler, said via email.
Huntress researchers in December said they were aware of companies in the consumer products, trucking, food and shipping industries being targeted.
Mandiant researchers identified the threat actor exploiting the Cleo CVEs as UNC5936. Researchers said the cluster had overlaps with FIN11, which is also known as Clop. Malicious back doors, including Beacon and Goldtomb, had been deployed on exploited systems.
