Blue Yonder says November ransomware attack not connected to Cleo vulnerability

Avatar

Blue Yonder, the supply chain management giant that was hit by a ransomware attack last month that caused ripples throughout the retail sector, said it is investigating claims of data theft made by a ransomware gang on Christmas Eve. 

The Clop ransomware operation said it stole information from Blue Yonder and dozens of other companies through a recently-discovered zero-day vulnerability in file sharing software from a company named Cleo. 

The gang made several threats toward Blue Yonder and said they were not responding to extortion attempts. 

The Panasonic-owned company said it has no reason to believe the recent claims are connected to last month’s ransomware attack, which caused disruptions at Starbucks, BIC and several major supermarket brands.

In a statement to Recorded Future News, a Blue Yonder spokesperson acknowledged that the company uses Cleo to manage certain file transfers and has applied the patch for the vulnerability. 

“Like many Cleo customers across the globe, we are currently investigating any potential impact of this matter on our business and will provide an appropriate update to our customers when we have additional information,” the spokesperson said. 

“We have no reason to believe the Cleo vulnerability is connected to the cybersecurity incident we experienced in November.”

The spokesperson declined to answer several questions about potential ties between the two incidents and whether a ransom has been issued for either. A relatively new ransomware operation named Termite took credit for the November ransomware attack on Blue Yonder, which provides digital supply chain tools to some of the largest companies on the planet. 

The attack disrupted a back-end Starbucks process that manages how employees view and manage their schedules, and see the number of hours people worked. Several major supermarket brands in the U.K. and manufacturers in the U.S. like pen-maker BIC reported production issues related to the attack. 

Nearly all customer systems have since been restored but the Termite gang claimed it stole 680 GB of data that includes emails, insurance documents, company data and more. 

Blue Yonder was acquired by Panasonic in 2021 for about $8.5 billion and provides systems for fulfillment, delivery and returns for more than 3,000 major companies across 76 countries.

Just two weeks after the Blue Yonder ransomware incident in November, file transfer software company Cleo warned customers that a vulnerability in three of its most popular products was being abused by hackers. 

The Clop ransomware gang eventually took credit for exploiting the bug — adding yet another file transfer giant to its list of victims. In total, Clop named 66 organizations that had information stolen through the Cleo file transfer software. 

Blue Yonder is currently the only company Clop named fully as part of the Cleo leaks — the other names of victim organizations are partially obscured. Several of the companies that could be gleaned from the list were contacted but did not respond to requests for comment. 

Cleo is the fourth file transfer tool to be exploited by Clop after global data theft campaigns targeting MOVEit, GoAnywhere and Accellion. In each of the attacks, the group typically focuses on stealing data held in the file transfer software and selling that for a ransom as opposed to the typical attempt to shut down or damage an organization’s devices or systems. 

The most recent Clop campaign against MOVEit had global implications, impacting several U.S. federal departments, governments and Fortune 500 companies

Cybersecurity firm Emsisoft estimates that 2,773 organizations were impacted by the attacks on MOVEit, and the records of nearly 96 million people were exposed and stolen by the group behind the exploitation. 

Clop is estimated to have earned anywhere from $75 million to $100 million just from ransoms during the MOVEit campaign.

CybercrimeIndustryNewsTechnology
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

 

Total
0
Shares
Previous Post

Japan Airlines resumes operations after cyberattack delays flights

Next Post

UN aviation agency ‘actively investigating’ cybercriminal’s claimed data breach

Related Posts

Chinese APT Lotus Panda Targets Governments With New Sagerunex Backdoor Variants

The threat actor known as Lotus Panda has been observed targeting government, manufacturing, telecommunications, and media sectors in the Philippines, Vietnam, Hong Kong, and Taiwan with updated versions of a known backdoor called Sagerunex. "Lotus Blossom has been using the Sagerunex backdoor since at least 2016 and is increasingly employing long-term persistence command shells and developing
Avatar
Read More

Leaked Black Basta Chats Suggest Russian Officials Aided Leader’s Escape from Armenia

The recently leaked trove of internal chat logs among members of the Black Basta ransomware operation has revealed possible connections between the e-crime gang and Russian authorities. The leak, containing over 200,000 messages from September 2023 to September 2024, was published by a Telegram user @ExploitWhispers last month. According to an analysis of the messages by cybersecurity company
Avatar
Read More