The notorious Clop ransomware group has launched a new data extortion campaign targeting internet-facing Gladinet CentreStack file servers, exploiting an unknown vulnerability to steal sensitive corporate information.
Incident responders from the Curated Intelligence community first identified this campaign, which marks the latest in a series of Clop attacks targeting enterprise file transfer and storage solutions.
According to security researchers, Clop is actively exploiting a previously undisclosed vulnerability either an n-day or zero-day in CentreStack systems.
Recent port scan data reveals a concerning attack surface, with at least 200 unique IP addresses running systems identified by the “CentreStack – Login” HTTP title, making them potential targets for exploitation.
The exact nature of the vulnerability remains unknown, and no CVE identifier has been assigned at this time.
CentreStack, developed by Gladinet, is an enterprise file synchronization and sharing solution that enables organizations to transform traditional file servers into cloud-based storage platforms.
The software is widely used by businesses to provide secure remote access to file servers, making it an attractive target for threat actors seeking to compromise corporate data.
This campaign follows Clop’s established playbook of targeting file transfer and storage infrastructure.
Clop Ransomware Group
The ransomware group has built a reputation for exploiting vulnerabilities in similar platforms to conduct mass exploitation campaigns.
Their previous victims include organizations using Oracle E-Business Suite, Cleo FTP servers, MOVEit Transfer, CrushFTP, SolarWinds Serv-U, PaperCut, and GoAnywhere MFT.
The Clop group’s strategy focuses on identifying and exploiting vulnerabilities in widely-deployed file transfer solutions to maximize their potential victim pool.
By compromising these systems, threat actors can access sensitive corporate documents, financial records, intellectual property, and personal information.
The stolen data is then used as leverage in extortion campaigns, where Clop threatens to publish the information unless victims pay a ransom.
Security experts emphasize the urgency of this threat, particularly given the number of potentially vulnerable CentreStack servers exposed to the internet.
Organizations using CentreStack are strongly advised to take immediate defensive measures while the security community works to identify and patch the exploited vulnerability.
Gladinet CentreStack Clients
Recommended actions for CentreStack users include immediately reviewing system logs for suspicious activity, restricting internet access to CentreStack servers through network segmentation or firewall rules, implementing multi-factor authentication for all access points, and monitoring for any unusual data transfer activities.
Organizations should also ensure they maintain secure, offline backups of critical data that cannot be encrypted or deleted by attackers.
The Curated Intelligence community continues to investigate this campaign and share threat intelligence with affected organizations.
As more information becomes available about the specific vulnerability being exploited, security teams will be better positioned to implement targeted defenses.
This incident underscores the persistent threat posed by ransomware groups like Clop, which continuously scan the internet for vulnerable systems and quickly weaponize newly discovered vulnerabilities.
Organizations must maintain vigilant security postures, regularly patch their systems, and minimize their attack surface by limiting internet exposure of critical file transfer infrastructure.
Network administrators running CentreStack deployments should prioritize security assessments and consider temporarily restricting external access until more information about the vulnerability and potential patches become available from Gladinet.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.