March 10, 2025 issue
- Cl0p Exploits Cleo Vulnerabilities, Hundreds of Organizations Impacted
- Microsoft Copilot Poses a Risk to Private GitHub Repositories
- Blurred Lines: Nation-State Threat Actors and Cybercriminals Converge
Cl0p Exploits Cleo Vulnerabilities, Hundreds of Organizations Impacted
On December 9th, 2024, the cybersecurity company Huntress had released a report detailing an actively exploited vulnerability involving Cleo's file transfer software. Cleo is a Business-to-Business (B2B) technology solutions organization primarily serving the supply chain, logistics, and manufacturing sectors, with file transfer solutions among its offerings. The vulnerability affects Cleo's LexiCom, VLTrader, and Harmony software products.
Later in December, the Russian ransomware group Cl0p claimed responsibility for exploiting the Cleo vulnerabilities. Cl0p has been active since 2019 and is known for leveraging vulnerabilities in file transfer software, they are most known for being responsible for the 2023 MOVEit breach. On December 24, 2024, Cl0p partially disclosed 66 victims relating to widespread Cleo exploit, and by February 25, 2025, this number had grown to approximately 300 organizations.
Of the victims, 27 are Canadian organizations, one of which is based in Alberta. Organizations in the US were observed to be the primary target at 72%, followed by Canada at 14%. The top three industries targeted in this attack, in order, are manufacturing, retail, and transportation.
The Cleo attack involved the exploitation of two critical vulnerabilities. The first, tracked as CVE-2024-50623, is an unrestricted file upload and download vulnerability that could lead to remote code execution, and although Cleo had released an initial patch, Huntress had reported that the vulnerability could still be exploited, Cleo has since released another patch that does address the vulnerability. Shortly after, Cleo identified a secondary vulnerability, CVE-2024-55956, impacting the same products. This vulnerability allowed the threat actor to import and execute code on the host system through the Autorun directory. The two CVEs are independent of each other, and both were exploited in the recent attacks.
The exploitation of the Cleo file transfer vulnerabilities highlights the importance of promptly applying security patches and verifying their effectiveness. Organizations should have proactive patching efforts and integrate attack surface management to identify and reduce the exposure to potential vulnerabilities. Combining regular updates with strong monitoring and response strategies will help minimize risk and improve resilience against future attacks.
Microsoft Copilot Poses a Risk to Private GitHub Repositories
On February 27th, 2025, security company Lasso reported that Microsoft's Copilot can be used to expose private GitHub repositories. Lasso uncovered their own private repositories in their investigation as well as 20,580 others belonging to 16,290 different organizations. Currently Microsoft classifies this as a low severity issue; however, this presents a risk to any organization that has repositories that were mistakenly made public and then later re-secured.
Lasso has identified Bing's caching functionality as the probable culprit. This functionality archives website data at specific points in time, similar to the Wayback Machine. Consequently, even if a website is taken down, its archived data may still be accessible. It appears that Copilot can query this cache, potentially exposing private data such as intellectual property, tokens, API keys, and other sensitive information to the public.
As part of their investigation, Lasso has identified organizations they deemed to be severely impacted and contacted them directly. Despite this, we recommend that organizations conduct their own spot checks for good measure—see the linked article for more details. Exposed data, such as API keys, should be rotated if they are still valid. More sensitive data, including personally identifiable information (PII) and intellectual property, may require more involved remediation efforts.
Blurred Lines: Nation-State Threat Actors and Cybercriminals Converge
The distinction between nation-state threat actors and cybercriminals is increasingly harder to make. Traditionally, nation-state actors focused on espionage and data destruction, while cybercriminals exclusively operated for financial gain. However, these groups are increasingly adopting each other's methods, infrastructure, objectives, and even personnel. Nation-state actors now leverage cybercriminal operations to advance strategic goals and as a source of income, while cybercriminals have evolved their capabilities to become just as sophisticated and difficult to defend against as state-sponsored groups.
Nation-state threat actors increasingly leverage ransomware for revenue generation, with North Korea’s Reconnaissance General Bureau deploying Play ransomware for extortion and Iranian-affiliated groups enabling access for ransomware attacks in exchange for a share of the profits. The lines between cybercriminals and state actors continue to blur, as Russian GRU-affiliated actors mobilize cybercriminal groups for cyberespionage and destructive attacks against Ukrainian targets, while contractors for China’s Ministry of State Security (MSS) engage in financially motivated operations and facilitate cyberespionage by sharing stolen certificates.
Conversely, cybercriminal groups have evolved to the point where their capabilities rival those of nation-state threat actors, leveraging zero-day vulnerabilities and sophisticated social engineering, while using legitimate services and fileless malware to evade detection. This convergence complicates attribution and defense, as both criminal syndicates and state-backed groups target critical sectors like healthcare, energy, and finance. As these overlaps grow, defenders must adapt and now counter advanced tactics once thought exclusive to nation-state threats.