The Nationaal Cyber Security Centrum (NCSC) of the Netherlands has issued a warning regarding a series of cyberattacks orchestrated by the Cl0p ransomware group, which has been exploiting zero-day vulnerabilities in file transfer systems. These attacks, which began in late 2024, have targeted products from the software company Cleo, including Cleo Harmony, Cleo VLTrader, and Cleo LexiCom [^1]. The group has been exfiltrating sensitive data and extorting victims, leveraging these vulnerabilities to gain unauthorized access to critical systems.
Cleo has since released security updates to patch the vulnerabilities, but the NCSC emphasizes that organizations must remain vigilant, as Cl0p has a history of targeting file transfer systems opportunistically, regardless of industry or geography [^2].
TL;DR: Key Points
- Threat Actor: Cl0p ransomware group.
- Targets: File transfer systems, specifically Cleo Harmony, Cleo VLTrader, and Cleo LexiCom.
- Tactics: Exploitation of zero-day vulnerabilities, data exfiltration, and extortion.
- Impact: Sensitive data stolen, financial losses, and reputational damage.
- Remediation: Apply security patches, implement strict access controls, and monitor network traffic.
The Cl0p Campaign: A Deep Dive
Exploitation of Zero-Day Vulnerabilities
The Cl0p group has been exploiting zero-day vulnerabilities in Cleo’s file transfer systems, which are widely used for secure data exchange between organizations. These vulnerabilities allowed the attackers to deploy customized webshells tailored to the specific weaknesses in the software. The webshells were used to exfiltrate data and, in some cases, remove indicators of compromise (IOCs) to evade detection [^3].
Unlike traditional ransomware attacks, Cl0p did not encrypt the data. Instead, they focused on data exfiltration and extortion, threatening to publish stolen information if ransom demands were not met. This tactic has been employed by other cybercrime groups, such as Karakurt, Ransomhouse, and BianLian, making it a growing trend in the cybercrime landscape [^4].
Historical Context
Cl0p is not new to targeting file transfer systems. In 2023, the group exploited vulnerabilities in Accellion FTA, GoAnywhere MFT, and MOVEit Transfer, impacting nearly 2,800 organizations and compromising data from 96 million individuals [^5]. The recent campaign against Cleo products follows a similar modus operandi, suggesting that Cl0p has refined its techniques and continues to pose a significant threat.
Technical Details and Indicators of Compromise (IOCs)
Webshell Deployment
Cl0p’s use of webshells is a key aspect of their attacks. These webshells are designed to:
- Exfiltrate data from compromised systems.
- Remove IOCs to hinder forensic investigations.
- Maintain persistence within the victim’s network.
The webshells are often deployed on internet-facing applications, which are typically more vulnerable to exploitation. Organizations are advised to monitor for unusual outbound traffic, as this could indicate data exfiltration.
Vulnerabilities Exploited
The specific vulnerabilities in Cleo’s products have not been publicly disclosed, but they are believed to be related to authentication bypass and remote code execution (RCE). Cleo has released patches for these vulnerabilities, and organizations are urged to apply them immediately [^6].
Relevance to Security Professionals
For Red Teams
- Simulate Attacks: Use the tactics, techniques, and procedures (TTPs) employed by Cl0p to test your organization’s defenses against similar attacks.
- Develop Exploits: Research and develop proof-of-concept exploits for file transfer systems to identify potential weaknesses.
For Blue Teams and SOC Analysts
- Monitor Logs: Look for signs of webshell deployment, such as unusual file uploads or modifications.
- Implement Network Segmentation: Limit the lateral movement of attackers within the network.
- Deploy Canary Files: Use decoy files to detect unauthorized access or exfiltration attempts.
For System Administrators
- Patch Management: Ensure all software, especially file transfer systems, is up to date with the latest security patches.
- Access Controls: Restrict internet-facing applications to known users and implement strict access control lists (ACLs).
Remediation Steps
- Apply Security Updates: Install the latest patches from Cleo to address the exploited vulnerabilities.
- Restrict Internet Access: Limit the exposure of file transfer systems to the internet.
- Monitor Network Traffic: Use tools like SIEM and EDR to detect and respond to suspicious activity.
- Implement Zero Trust Principles: Verify all access requests and assume that breaches will occur.
- Develop an Incident Response Plan: Prepare for potential breaches by creating a detailed response strategy.
Conclusion
The Cl0p ransomware group’s latest campaign highlights the ongoing threat posed by cybercriminals targeting file transfer systems. By exploiting zero-day vulnerabilities, the group has demonstrated its ability to adapt and refine its tactics. Organizations must take proactive steps to secure their systems, including applying patches, monitoring network traffic, and implementing robust access controls.
As the threat landscape continues to evolve, collaboration between red teams, blue teams, and system administrators will be crucial in mitigating these risks. The NCSC’s warning serves as a timely reminder of the importance of staying ahead of cyber adversaries.
References
- Nationaal Cyber Security Centrum (2025). “NCSC waarschuwt voor Cl0p-campagnes die zich richten op filetransfer-systemen”. NCSC. Retrieved 2025.
- Security.NL (2025). “NCSC waarschuwt organisaties voor aanvallen op filetransfer-applicaties”. Security.NL. Retrieved 2025.
- Nationaal Cyber Security Centrum (2025). “Actueel | Nationaal Cyber Security Centrum”. NCSC. Retrieved 2025.
- 112Wwft.nl (2025). “NCSC waarschuwt voor Cl0p-campagnes die zich richten op filetransfer-systemen”. 112Wwft.nl. Retrieved 2025.
- Security.NL (2025). “NCSC waarschuwt organisaties voor aanvallen op filetransfer-applicaties”. Security.NL. Retrieved 2025.
- Nationaal Cyber Security Centrum (2025). “Home | Nationaal Cyber Security Centrum”. NCSC. Retrieved 2025.
