Clop ransomware gang claims to have stolen data from over 130 organizations, including 1 million CHS Healthcare patients.
The extortion gang toldBleeping Computer it exploited a zero-day vulnerability in the GoAnywhere MFT secure file transfer tool to exfiltrate data for ten days.
The high severity (CVSS v3 7.2) vulnerability CVE-2023-0669 affects unpatched Fortra (formerly HelpSystems) GoAnywhere MFT file transfer instances with internet-exposed administrative consoles. Shodan scans discovered over 1,000 GoAnywhere instances accessible over the internet.
Clop ransomware gang exploits Fortra GoAnywhere zero-day vulnerability
The remote code execution (RCE) vulnerability grants attackers shell access to vulnerable servers allowing them to execute arbitrary code without authentication.
The Cybersecurity and Infrastructure Security Agency (CISA) has added the GoAnywhere zero-day flaw to the catalog of known exploited vulnerabilities. This requires federal agencies to patch the vulnerability within one month to prevent the exploitation of government networks.
“GoAnywhere MFT contains a pre-authentication remote code-execution vulnerability in the License Response Servlet due to deserializing an attacker-controlled object,” CISA wrote.
Meanwhile, Fortra published instructions on disabling the impacted servlet and later released security updates, urging customers to apply the fixes urgently.
“We urgently advise all GoAnywhere MFT customers to apply this patch,” Fortra stressed. “Particularly for customers running an admin portal exposed to the internet, we consider this an urgent matter.”
The company later disclosed that advanced persistent threat actors had compromised its servers and created rogue user accounts. Clop ransomware had told Bleeping Computer they could move laterally and deploy ransomware, although they decided against it.
“Service continues to be restored on a customer-by-customer basis as mitigation is applied and verified within each environment,” Fortra wrote.
The attack mirrors the December 2020 Accellion File Transfer Appliance (FTA) data breach that affected approximately 100 organizations. The incident affected high-profile victims, including energy giant Shell, cybersecurity firm Qualys, Australian Securities and Investments Commission, Canadian aviation company Bombardier, Jones Day Law Firm, retail chain Kroger, Morgan Stanley, Singtel, Stanford University, and the University of California. Healthcare organizations Beaumont Health, Centene, Trinity Health, and Kroger Health also suffered the FTA data breach.
The Clop ransomware incident forced Accellion to pay $8.1 million to settle a class action lawsuit accusing the company of failing to implement proper security measures and detect vulnerabilities.
Fortra GoAnywhere MFT data breach exposes 1 million CHS Healthcare patients
Community Health Systems (CHS), an American healthcare operator with nearly 80 hospitals in 16 states, confirmed that threat actors, likely Clop ransomware, had accessed CHS Healthcare patients’ data via Fortra GoAnywhere managed file transfer tool.
“As a result of the security breach experienced by Fortra, protected health information and personal information of certain patients of the company’s affiliates were exposed by Fortra’s attacker,” CHS reported in an 8-K filing with the Securities and Exchange Commission.
The healthcare provider began investigating the incident to determine if or which protected health information (PHI) and personally identifiable information (PII) was exposed. Although the probe was still in progress, the Franklin, Tennessee-based healthcare provider estimated that the Clop ransomware incident affected approximately 1 million patients.
Subsequently, the healthcare service offered complimentary identity theft protection services to impacted CHS healthcare patients.
According to its regulatory filing, CHS also anticipates additional costs beyond insurance coverage but does not believe the breach affected its information systems or would disrupt the delivery of patient care.
This is the second large-scale data breach to impact CHS healthcare patients in almost a decade. Between April and June 2014, 4.5 million CHS healthcare patients were impacted by a larger data breach attributed to Chinese state-sponsored advanced persistent threat actors. Although the breach did not include protected patient health information, it exposed sensitive CHS Healthcare patients’ personal information, including names, addresses, dates of birth, Social Security Numbers (SSNs), and telephone numbers. In 2019, CHS agreed to pay $5 million to settle a class action lawsuit and implement security measures to prevent a similar incident.
Commenting on CHS Healthcare patients’ data leak, Almog Apirion, CEO and Co-Founder of Cyolo said: “Healthcare organizations are unfortunately no stranger to cyberattacks and data breaches. Institutions like Community Health Systems (CHS) are an attractive target for threat actors due to their troves of personal information and their reliance on third parties both for cybersecurity and other aspects of their work.”
According to Apirion, “it’s only a matter of time” before hackers exploit internet-exposed admin consoles.