According to Community Health Systems (CHS Healthcare), a recent wave of attacks aimed at a zero-day vulnerability in Fortra’s GoAnywhere MFT secure data transfer platform impacted the company.
On Monday, the enormous CHS Healthcare claimed that Fortra had alerted them about security incidents that compromised specific CHS data.
A further investigation showed that the consequent data breach affected up to 1 million patients’ personal and health information.
While the investigation is still ongoing, CHS stated in an 8-K filing with the SEC, first noted by DataBreaches.net. The Company believes that the Fortra breach has not had any effect on any of the Company’s information systems. Also, there has been no material interruption of the Company’s business activities, including the delivery of patient care.”
“The Company now thinks that about one million people may have been affected by this attack concerning the PHI or PI compromised by the Fortra hack.”
Additionally, it stated that it would provide identity theft protection services and alert any affected people whose information was compromised.
CHS, a top healthcare, runs over 1,000 different care locations throughout the US and 79 associated acute-care hospitals.
The Clop Gang alleges that it violated 130 Fortra clients.
The Clop ransomware gang, which claims responsibility for these attacks, tells BleepingComputer that it has infiltrated over 130 organizations and taken data from them.
Additionally, Clop claimed that the data theft occurred more than ten days after the purportedly breaking into GoAnywhere MFT servers that were exposed to CVE-2023-0669 RCE attacks.
When questioned, the gang about their claims, including when the attacks started, and whether they had started extorting victims. And what ransom demands they were demanding, they gave no evidence or more information.
BleepingComputer could not verify any of Clop’s assertions independently, and Fortra has not yet responded to multiple emails requesting more information about the CVE-2023-0669 vulnerability and the claims made by the ransomware organization.
However, Joe Slowik, the Huntress Threat Intelligence Manager, also discovered connections between the GoAnywhere MFT attacks. And TA505, a threat organization that has previously used Clop ransomware.
When Clop used a similar strategy in December 2020 to steal sizable amounts of data from about 100 businesses globally. They found and exploited a zero-day vulnerability in Accellion’s old File Transfer Appliance (FTA).
The victims then got emails requesting $10 million in ransom to prevent the publication of their data on the data leak website operated by the cybercrime outfit.
Also, read U.S. Data Breaches -Near Record Highs
Energy giant Shell, cybersecurity company Qualys, supermarket behemoth Kroger, and numerous universities worldwide. They include Stanford Medicine is among the companies whose Accellion servers were compromised (UMB).
If Clop employs a similar extortion tactic, non-paying victims will probably soon have their data released quickly on the threat actor’s data leak website.
Federal agencies order to patch until March 3rd
The creator of GoAnywhere MFT, Fortra (formerly HelpSystems), informed its clients last week that a new weakness (CVE-2023-0669) was being used as a zero-day in the wild.
After a proof-of-concept exploit was published online, unverified attackers could obtain remote code execution on susceptible servers. The company immediately implemented security upgrades.
Shodan currently indicates that over 1,000 GoAnywhere instances are vulnerable to assaults. However, only 136 of those instances are on ports 8000 and 8001. (the ones used by the vulnerable admin console).