Sam’s Club investigating attack claim linked to Clop ransomware

Sam’s Club confirmed it is investigating a possible cyberattack after the retailer was referenced on a leak site by the prolific Clop ransomware gang. 

Clop ransomware posted a reference to the warehouse club last week but did not release any specific information suggesting it had exfiltrated company or customer data. 

“We are aware of reports regarding a potential security incident and are actively investigating the matter,” a company spokesperson told Cybersecurity Dive via email. 

Sam’s Club officials have not seen any specific cyber intrusion or security incidents. 

Arkansas-based Sam’s Club is a division of Walmart Inc. and includes about 600 warehouse clubs across the country. Sam’s Club reported more than $86 billion in net sales during fiscal 2024. 

Clop ransomware became one of the most prolific criminal organizations in recent memory after it was linked to the mass exploitation of zero-day vulnerabilities in MOVEit file transfer software. 

The Sam’s Club investigation follows a series of attacks exploiting vulnerabilities in Cleo file transfer software that were linked to Clop. 

Sam’s Club is one of many companies listed on the Clop leak site in connection with the Cleo attack spree, according to researchers at Intel 471.

A series of attacks in late 2024 were linked to zero-day vulnerabilities in Cleo Harmony, VL Trader and LexiCom. 

The exploited flaws include an unrestricted file upload and download vulnerability, listed as CVE-2024-50623 and CVE-2024-55956, which allows an unauthenticated attacker to import and execute arbitrary bash or PowerShell commands on a host system. 

“Clop has been quite successful with these supply chain-style attacks using zero-day exploits to steal data from a large number of organizations in a short period of time,” said Brett Stone-Gross, senior director, threat intelligence, at Zscaler. “This has led to the Clop ransomware group increasingly focusing on data extortion rather than file encryption for monetization.”

In December, researchers from Mandiant traced a cluster of exploitation activity to a threat actor that overlaps with Fin11, which is also known as Clop.