Clop Ransomware Strikes Gladinet CentreStack, Steals Data
▼ Summary
– The Clop ransomware gang is actively targeting Internet-exposed Gladinet CentreStack file servers in a new data theft and extortion campaign.
– Gladinet CentreStack is a file-sharing solution used globally, and the gang is exploiting an unknown vulnerability (either a zero-day or an unpatched bug) to breach these servers.
– This campaign is part of Clop’s established pattern of attacking secure file transfer products, including previous large-scale attacks on Accellion, GoAnywhere, and MOVEit Transfer.
– After breaching systems and stealing data, Clop typically publishes the stolen information on its dark web leak site.
– The U.S. Department of State is offering a $10 million reward for information linking Clop’s activities to a foreign government.
A new wave of cyberattacks is targeting businesses using Gladinet CentreStack file-sharing servers, with the notorious Clop ransomware gang actively breaching systems to steal sensitive data. This campaign involves the group scanning the internet for exposed servers, compromising them, and leaving ransom notes, though the exact vulnerability being exploited remains unknown. Gladinet CentreStack is a platform that allows organizations to share files from their own servers securely through web browsers and mobile apps without needing a virtual private network (VPN), and it boasts a global user base.
Security researchers from the Curated Intelligence community have identified this ongoing extortion effort. Their analysis of recent port scan data suggests there are at least 200 unique IP addresses running the vulnerable “CentreStack – Login” service, all of which are now potential targets. The attackers are exploiting an unidentified security flaw, which could be a previously unknown zero-day or a known issue that administrators have failed to patch. Gladinet has issued several security updates since April to fix other flaws, some of which were exploited as zero-days in earlier attacks.
The Clop gang has a well-documented history of focusing on secure file transfer solutions. Their past campaigns have successfully compromised major platforms including Accellion FTA, GoAnywhere MFT, and the widespread MOVEit Transfer attacks that impacted thousands of organizations globally. More recently, the group leveraged a zero-day vulnerability in Oracle E-Business Suite to pilfer data from numerous high-profile entities since August 2025. Victims from that incident included institutions like Harvard University, The Washington Post, and the American Airlines subsidiary Envoy Air.
Following a breach, Clop’s standard procedure involves exfiltrating confidential files and then publishing the stolen data on its dark web leak site, often making it available for download via torrent networks. The financial and reputational damage from such incidents can be severe. In response to the gang’s persistent global threat, the U.S. Department of State has announced a $10 million reward for information that could tie the group’s activities to a foreign state actor. A spokesperson for Gladinet was not available for immediate comment regarding the latest campaign. Organizations using CentreStack are urged to ensure their systems are fully updated and not unnecessarily exposed to the public internet.
(Source: Bleeping Computer)
