Clop Ransomware Group Exploiting Gladinet CentreStack Servers to Steal Data
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
The Clop ransomware group has launched a new data extortion campaign targeting Internet-facing Gladinet CentreStack file servers, marking another chapter in the threat actor\u2019s pattern of exploiting file transfer solutions.<\/p>\n
The campaign appears to leverage multiple security weaknesses in CentreStack and its sister product Triofox, including recently discovered vulnerabilities that allow attackers to gain unauthorized access to sensitive corporate data.<\/p>\n
Recent port scan data suggests that over 200 unique IP addresses are running systems with the \u201cCentreStack \u2013 Login\u201d HTTP title, making them potential targets for the Clop group.<\/p>\n
The attackers are exploiting either a zero-day<\/a> or an unknown n-day vulnerability to compromise these systems.<\/p>\n Curated Intelligence analysts noted<\/a> that incident responders from their community have encountered this new extortion campaign across multiple organizations, raising concerns about the widespread impact of these attacks.<\/p>\n This campaign<\/a> follows Clop\u2019s established playbook of targeting file transfer servers. The group has previously compromised platforms such as Oracle EBS, Cleo FTP, MOVEit, CrushFTP, SolarWinds Serv-U, PaperCut, and GoAnywhere.<\/p>\n The focus on CentreStack represents an expansion of their targeting strategy, exploiting systems commonly used by businesses for secure file storage and sharing.<\/p>\n Two critical vulnerabilities have been identified<\/a> in the CentreStack and Triofox products. The first, CVE-2025-11371, is an unauthenticated local file inclusion flaw that allows attackers to retrieve the machine key from the application Web.config file.<\/p>\n Using directory traversal techniques, threat actors can access any file on the server by exploiting the vulnerable endpoint at \/storage\/t.dn.<\/p>\n The second vulnerability, CVE-2025-14611, involves hardcoded cryptographic keys in the AES implementation that enable attackers to decrypt access tickets and forge their own.<\/p>\n The exploitation begins when attackers target the CentreStack server through the vulnerable \/storage\/t.dn endpoint.<\/p>\n By manipulating the query parameter with directory traversal sequences, they retrieve the Web.config file containing hardcoded machine keys. A sample request looks like this:-<\/p>\n Once the machine key is obtained, attackers perform ViewState deserialization attacks to achieve remote code execution.<\/p>\n The hardcoded cryptographic keys in CVE-2025-14611 further enable them to create persistent access tickets with timestamps set to the year 9999, effectively granting indefinite access to the compromised system.<\/p>\n These techniques allow the Clop group to exfiltrate data<\/a> without authentication, making detection and prevention challenging for affected organizations.<\/p>\n Organizations running CentreStack or Triofox should immediately update to version 16.12.10420.56791 and rotate their machine keys.<\/p>\n Administrators should also review web server logs for suspicious GET requests containing \u201cvghpI7EToZUDIZDdprSubL3mTZ2,\u201d which represents the encrypted path to the Web.config file.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get MorWe Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Clop Ransomware Group Exploiting Gladinet CentreStack Servers to Steal Data<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nTechnical Breakdown of the Attack Chain<\/strong><\/h2>\n
GET \/storage\/t.dn s=..\\..\\..\\Program+Files+(x86)\\Gladinet+Cloud+Enterprise\\root\\Web.config&sid=1<\/code><\/pre>\n