{"id":57877,"date":"2024-12-16T23:50:51","date_gmt":"2024-12-16T23:50:51","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/ransomware-scum-blow-holes-in-cleo-software-patches-cl0p-sort-of-claims-responsibility\/"},"modified":"2024-12-16T23:50:51","modified_gmt":"2024-12-16T23:50:51","slug":"ransomware-scum-blow-holes-in-cleo-software-patches-cl0p-sort-of-claims-responsibility","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/ransomware-scum-blow-holes-in-cleo-software-patches-cl0p-sort-of-claims-responsibility\/","title":{"rendered":"Ransomware scum blow holes in Cleo software patches, Cl0p (sort of) claims responsibility"},"content":{"rendered":"<p>Supply chain integration vendor Cleo has urged its customers to upgrade three of its products after an October security update was circumvented, leading to widespread ransomware attacks that Russia-linked gang Cl0p has claimed are its evil work.<\/p>\n<p>This story starts in October when Cleo patched its Harmony, VLTrader, and LexiCom products to address an unrestricted file upload and download flaw that could lead to remote code execution (RCE).<\/p>\n<p>But last week infosec outfit Huntress <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2024\/12\/10\/cleo_vulnerability\/\" rel=\"noopener\">warned<\/a> that Cleo&#8217;s products were under attack after the patches were bypassed. Huntress&#8217;s researchers <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.huntress.com\/blog\/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild\">advised<\/a> that mass exploitation was occurring, at least ten businesses had been compromised, and even fully patched systems were exploitable.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"condor\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Z2D1hXY76WW0YxCXDhc6BgAAAQU&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Z2D1hXY76WW0YxCXDhc6BgAAAQU&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>The security shop later identified a new malware strain named <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.huntress.com\/blog\/cleo-software-vulnerability-malware-analysis\">Malichus<\/a> that exploits the problem.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xmd=\",fluid,mpu,leaderboard,\" data-lg=\",fluid,mpu,leaderboard,\" data-xlg=\",fluid,billboard,superleaderboard,mpu,leaderboard,\" data-xxlg=\",fluid,billboard,superleaderboard,brandwidth,brandimpact,leaderboard,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Z2D1hXY76WW0YxCXDhc6BgAAAQU&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Z2D1hXY76WW0YxCXDhc6BgAAAQU&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<div class=\"adun_eagle_desktop_story_wrapper\">\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"mid\" data-raptor=\"eagle\" data-xxlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Z2D1hXY76WW0YxCXDhc6BgAAAQU&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Z2D1hXY76WW0YxCXDhc6BgAAAQU&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<\/p><\/div>\n<p>Cleo <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/support.cleo.com\/hc\/en-us\/articles\/27140294267799-Cleo-Product-Security-Advisory-CVE-2024-50623\">urged<\/a> customers to update its Harmony, VLTrader, and LexiCom products to version 5.8.0.21, which the vendor claimed patched CVE-2024-50623.<\/p>\n<p>The software vendor has since issued a security alert for a new vulnerability, <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/support.cleo.com\/hc\/en-us\/articles\/28408134019735-Cleo-Product-Security-Update-CVE-2024-55956\">CVE-2024-55956<\/a>, and &#8220;strongly advises&#8221; customers to upgrade instances of Harmony, VLTrader, and LexiCom to version 5.8.0.24, which it says addresses a previously reported critical bug.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Z2D1hXY76WW0YxCXDhc6BgAAAQU&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Z2D1hXY76WW0YxCXDhc6BgAAAQU&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>According to cyber security platform vendor Rapid7, CVE-2024-55956 is a bypass of the earlier flaw, CVE-2024-50623, and has been exploited. &#8220;Our team has observed enumeration and post-exploitation activity and is investigating multiple incidents,&#8221; the threat hunters <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.rapid7.com\/blog\/post\/2024\/12\/10\/etr-widespread-exploitation-of-cleo-file-transfer-software-cve-2024-50623\/\">wrote<\/a> last week.<\/p>\n<p>Cleo did not immediately respond to <em>The Register<\/em>&#8216;s questions \u2013 including how many customers had been compromised, and what exactly the relationship between CVE-2024-50623 and CVE-2024-55956 is. We will update this story if any substantive response should appear.<\/p>\n<p>By December 13, the US Cybersecurity and Infrastructure Security Agency (CISA) had <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.cisa.gov\/known-exploited-vulnerabilities-catalog?search_api_fulltext=Cleo&amp;field_date_added_wrapper=all&amp;field_cve=&amp;sort_by=field_date_added&amp;items_per_page=20&amp;url=\">added<\/a> the Cleo bug to its catalog of Known Exploited Vulnerabilities, and listed it as being abused in ransomware campaigns. Shortly after, Cl0p reportedly <a target=\"_blank\" href=\"https:\/\/bsky.app\/profile\/hackmanac.com\/post\/3ldefzn5doc2v\" rel=\"noopener\">posted<\/a> a cryptic message on its data leak site that seemingly claimed to be responsible for the attacks:<\/p>\n<p>The criminals also wished everyone a &#8220;Happy New Year.&#8221; They did not, however, post any sample data to download.<\/p>\n<div class=\"CaptionedImage Border width_85\" readability=\"7\"><a href=\"https:\/\/regmedia.co.uk\/2024\/12\/16\/leakscreenshot.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/regmedia.co.uk\/2024\/12\/16\/leakscreenshot.png?x=442&amp;y=178&amp;infer_y=1\" alt=\"Cl0p posted a cryptic message on its data leak site\" title=\"Cl0p posted a cryptic message on its data leak site\" height=\"178\" width=\"442\"><\/a><\/p>\n<p class=\"text_center\">Cl0p posted a cryptic message on its data leak site \u2013 Click to enlarge<\/p>\n<\/div>\n<p>Neither CISA nor the FBI immediately responded to <em>The Register<\/em>&#8216;s questions about which ransomware gang was behind the attacks and how many victims had been compromised.<\/p>\n<p>Cl0p, as <em>El Reg<\/em> readers likely remember, is the Russia-linked <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2023\/06\/15\/clop_broke_into_the_doe\/\" rel=\"noopener\">ransomware crew<\/a> that also exploited a critical security hole in Progress Software&#8217;s MOVEit product suite back in May 2023, and used this flaw to steal data from thousands of organizations and <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2024\/05\/08\/georgia_state_education_moveit\/\" rel=\"noopener\">millions of individuals<\/a>. Because of the similarities between Cleo and MOVEit products \u2013 and the fact that the MOVEit attack is still <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2024\/12\/03\/760k_xerox_nokia_bofa_morgan\/\" rel=\"noopener\">claiming victims<\/a> \u2013 infosec experts are watching the Cleo situation closely.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" id=\"story_eagle_xsm_sm_md_xmd_lg_xlg\" data-pos=\"mid\" data-raptor=\"eagle\" data-xsm=\",mpu,dmpu,\" data-sm=\",mpu,dmpu,\" data-md=\",mpu,dmpu,\" data-xmd=\",mpu,dmpu,\" data-lg=\",mpu,dmpu,\" data-xlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Z2D1hXY76WW0YxCXDhc6BgAAAQU&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Z2D1hXY76WW0YxCXDhc6BgAAAQU&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>But the jury is still out on whether people should believe Cl0p&#8217;s claims.<\/p>\n<blockquote class=\"pullquote\" readability=\"7\">\n<p>Until I see the victim notifications and data to download, I&#8217;m not sure I trust a threat actor&#8217;s word<\/p>\n<\/blockquote>\n<p>&#8220;I&#8217;m still waiting for more definitive proof that it was Cl0p that performed these attacks, personally,&#8221; John Hammond, Huntress principal security researcher, told <em>The Register<\/em>. &#8220;Until I see the victim notifications and data to download, I&#8217;m not sure I trust a threat actor&#8217;s word quite yet.&#8221;<\/p>\n<p>He added that Cleo&#8217;s most recent update does plug the hole. &#8220;As far as I know 5.8.0.24 is successful at preventing our proof-of-concept exploit for the <em>new<\/em>, December-based CVE-2024-55956,&#8221; Hammond asserted.<\/p>\n<p>Still, it&#8217;s too soon to say who is behind the exploits. The Cleo activity that Huntress has been tracking &#8220;didn&#8217;t entirely line up with&#8221; Cl0p&#8217;s usual tradecraft, Hammond added, &#8220;So I am still speculative.&#8221;<\/p>\n<h3 class=\"crosshead\">&#8216;Waiting for proof&#8217;<\/h3>\n<p>Hammond also worries that the message on Cl0p&#8217;s leak site isn\u2019t proof of the group&#8217;s involvement.<\/p>\n<p>&#8220;I&#8217;m not certain if this means they are claiming responsibility for the Cleo attacks, or if it is just a strange timing of their choice to remove all the old data,&#8221; Hammond told <i>The Register<\/i>. &#8220;One possibility is that they are preparing to post all new victims and begin negotiating, but, it is all only speculation for now.&#8221;<\/p>\n<p>Rapid7&#8217;s senior director of threat analytics Christiaan Beek also said his team hasn&#8217;t seen any &#8220;hard evidence&#8221; pointing to Cl0p \u2013 or any other group \u2013 being involved in attacks on Cleo products. &#8220;However, we have seen Cl0p utilize complex chains similar to this vulnerability in multiple file transfer use cases before, such as MOVEit and <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2021\/02\/22\/in_brief_security\/\" rel=\"noopener\">Accellion FTA<\/a> in 2021,&#8221; he told <em>The Register<\/em>.<\/p>\n<p>&#8220;Cl0p usually uses pure zero-day chains or vulnerabilities,&#8221; Beek added. &#8220;This was an &#8216;impure&#8217; chain in that one of the vulnerabilities was fixed and potentially exploited before Cl0p started using it \u2013 that we know of.&#8221;<\/p>\n<p>And while no one (other than the perpetrators themselves, who may or may not be Cl0p) has independently confirmed who or what is abusing Cleo&#8217;s products, the tactics do appear to line up with Cl0p&#8217;s modus operandi, according to Ferhat Dikbiyik, chief research and intelligence officer at Black Kite.<\/p>\n<p>&#8220;This aligns with Cl0p&#8217;s typical pattern: exploit a vulnerability at scale, negotiate quietly with initial victims, and then publicly announce their campaign to apply additional pressure,&#8221; Dikbiyik told <em>The Register<\/em>. &#8220;Based on their previous attacks on MOVEit and <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2024\/01\/24\/public_exploit_published_within_hours\/\" rel=\"noopener\">GoAnywhere<\/a>, we can expect victim names to start surfacing within one to two weeks.&#8221; \u00ae<\/p>\n<p> READ MORE <a href=\"https:\/\/go.theregister.com\/feed\/www.theregister.com\/2024\/12\/16\/ransomware_attacks_exploit_cleo_bug\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>But can you really take crims at their word? Supply chain integration vendor Cleo has urged its customers to upgrade three of its products after an October security update was circumvented, leading to widespread ransomware attacks that Russia-linked gang Cl0p has claimed are its evil work.\u2026 READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[63],"tags":[],"class_list":["post-57877","post","type-post","status-publish","format-standard","hentry","category-the-register"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Ransomware scum blow holes in Cleo software patches, Cl0p (sort of) claims responsibility 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/ransomware-scum-blow-holes-in-cleo-software-patches-cl0p-sort-of-claims-responsibility\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Ransomware scum blow holes in Cleo software patches, Cl0p (sort of) claims responsibility 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/ransomware-scum-blow-holes-in-cleo-software-patches-cl0p-sort-of-claims-responsibility\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-12-16T23:50:51+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Z2D1hXY76WW0YxCXDhc6BgAAAQU&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/ransomware-scum-blow-holes-in-cleo-software-patches-cl0p-sort-of-claims-responsibility\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/ransomware-scum-blow-holes-in-cleo-software-patches-cl0p-sort-of-claims-responsibility\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Ransomware scum blow holes in Cleo software patches, Cl0p (sort of) claims responsibility\",\"datePublished\":\"2024-12-16T23:50:51+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/ransomware-scum-blow-holes-in-cleo-software-patches-cl0p-sort-of-claims-responsibility\\\/\"},\"wordCount\":916,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/ransomware-scum-blow-holes-in-cleo-software-patches-cl0p-sort-of-claims-responsibility\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Z2D1hXY76WW0YxCXDhc6BgAAAQU&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"articleSection\":[\"The Register\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/ransomware-scum-blow-holes-in-cleo-software-patches-cl0p-sort-of-claims-responsibility\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/ransomware-scum-blow-holes-in-cleo-software-patches-cl0p-sort-of-claims-responsibility\\\/\",\"name\":\"Ransomware scum blow holes in Cleo software patches, Cl0p (sort of) claims responsibility 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/ransomware-scum-blow-holes-in-cleo-software-patches-cl0p-sort-of-claims-responsibility\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/ransomware-scum-blow-holes-in-cleo-software-patches-cl0p-sort-of-claims-responsibility\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Z2D1hXY76WW0YxCXDhc6BgAAAQU&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"datePublished\":\"2024-12-16T23:50:51+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/ransomware-scum-blow-holes-in-cleo-software-patches-cl0p-sort-of-claims-responsibility\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/ransomware-scum-blow-holes-in-cleo-software-patches-cl0p-sort-of-claims-responsibility\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/ransomware-scum-blow-holes-in-cleo-software-patches-cl0p-sort-of-claims-responsibility\\\/#primaryimage\",\"url\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Z2D1hXY76WW0YxCXDhc6BgAAAQU&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"contentUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Z2D1hXY76WW0YxCXDhc6BgAAAQU&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/ransomware-scum-blow-holes-in-cleo-software-patches-cl0p-sort-of-claims-responsibility\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Ransomware scum blow holes in Cleo software patches, Cl0p (sort of) claims responsibility\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Ransomware scum blow holes in Cleo software patches, Cl0p (sort of) claims responsibility 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/ransomware-scum-blow-holes-in-cleo-software-patches-cl0p-sort-of-claims-responsibility\/","og_locale":"en_US","og_type":"article","og_title":"Ransomware scum blow holes in Cleo software patches, Cl0p (sort of) claims responsibility 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/ransomware-scum-blow-holes-in-cleo-software-patches-cl0p-sort-of-claims-responsibility\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-12-16T23:50:51+00:00","og_image":[{"url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Z2D1hXY76WW0YxCXDhc6BgAAAQU&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/ransomware-scum-blow-holes-in-cleo-software-patches-cl0p-sort-of-claims-responsibility\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/ransomware-scum-blow-holes-in-cleo-software-patches-cl0p-sort-of-claims-responsibility\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Ransomware scum blow holes in Cleo software patches, Cl0p (sort of) claims responsibility","datePublished":"2024-12-16T23:50:51+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/ransomware-scum-blow-holes-in-cleo-software-patches-cl0p-sort-of-claims-responsibility\/"},"wordCount":916,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/ransomware-scum-blow-holes-in-cleo-software-patches-cl0p-sort-of-claims-responsibility\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Z2D1hXY76WW0YxCXDhc6BgAAAQU&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","articleSection":["The Register"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/ransomware-scum-blow-holes-in-cleo-software-patches-cl0p-sort-of-claims-responsibility\/","url":"https:\/\/www.threatshub.org\/blog\/ransomware-scum-blow-holes-in-cleo-software-patches-cl0p-sort-of-claims-responsibility\/","name":"Ransomware scum blow holes in Cleo software patches, Cl0p (sort of) claims responsibility 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/ransomware-scum-blow-holes-in-cleo-software-patches-cl0p-sort-of-claims-responsibility\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/ransomware-scum-blow-holes-in-cleo-software-patches-cl0p-sort-of-claims-responsibility\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Z2D1hXY76WW0YxCXDhc6BgAAAQU&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","datePublished":"2024-12-16T23:50:51+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/ransomware-scum-blow-holes-in-cleo-software-patches-cl0p-sort-of-claims-responsibility\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/ransomware-scum-blow-holes-in-cleo-software-patches-cl0p-sort-of-claims-responsibility\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/ransomware-scum-blow-holes-in-cleo-software-patches-cl0p-sort-of-claims-responsibility\/#primaryimage","url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Z2D1hXY76WW0YxCXDhc6BgAAAQU&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","contentUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Z2D1hXY76WW0YxCXDhc6BgAAAQU&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/ransomware-scum-blow-holes-in-cleo-software-patches-cl0p-sort-of-claims-responsibility\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Ransomware scum blow holes in Cleo software patches, Cl0p (sort of) claims responsibility"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/57877","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=57877"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/57877\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=57877"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=57877"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=57877"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}