The City of Toronto is the latest organization to fall victim to the ongoing Clop ransomware attack. It was targeting companies running the vulnerable GoAnywhere file transfer utility. Other victims of the attack include the UK’s Virgin Red and the statutory corporation, Pension Protection Fund. The attack exploits a remote code execution flaw in Fortra’s GoAnywhere secure file transfer tool. For this the Clop group claims to have used to breach over 130 organizations so far.
City if Toronto confirms data theft
The Clop ransomware gang breached City of Toronto’s data. According to the group’s dark web site, and the City later confirmed the data theft on March 20. A City of Toronto spokesperson stated that “unauthorized access to City data did occur through a third party vendor. The access was limited to files that were unable to be processed through the third party secure file transfer system. The City of Toronto is actively investigating the details of the identified files.
The spokesperson also highlighted the City of Toronto’s commitment to protecting the privacy and security of Torontonians. Its efforts to fend off daily cyber attacks. Toronto is among Clop’s growing list of victims running vulnerable versions of a Fortra program called GoAnywhere.
The flaw, tracked as CVE-2023-0669, allows attackers to gain remote code execution. It was on unpatched GoAnywhere MFT instances with their administrative console exposed to Internet access. Fortra had previously disclosed to its customers that the vulnerability had been exploited as a zero-day in the wild. Government also urges customers to patch their systems.
Clop ransomware targets numerous organizations
In February, Clop contacted experts claiming to have breached 130+ organizations and stolen their data . Within span of ten days by exploiting this particular vulnerability on enterprise servers. Since then, the list of victims continues to grow on a daily basis.
This month, Hitachi Energy, Saks Fifth Avenue, and cybersecurity company Rubrik all disclosed impact from Clop resulting from the same zero-day.
Clop ransomware hits UK’s Virgin Red, govt pension fund
Clop’s other victims this week include the UK’s Virgin Red, a rewards club owned by Virgin Group that allows customers to earn and spend points across Virgin businesses, and other partner organizations. While Clop lists the victim as “Virgin,” a spokesperson told BleepingComputer that the breach only affected Virgin Red. The files in question reportedly contain no personal data and pose no risk to customers or employees.
Another organization to confirm an impact from the file transfer software vendor is the UK’s Pension Protection Fund (PPF), a statutory public corporation accountable to the UK Parliament through the Secretary of State for the Department for Work and Pensions. In PPF’s case, the ransomware and extortion group managed to obtain employee data.
“Regrettably some of our current and former employees have been affected by the potential breach,” said the PPF in a statement. “We have already advised all of those affected of the situation and offered our support and additional monitoring services to help them.”
PPF has stopped using GoAnywhere and continues to work closely with Fortra, its security partners, and law enforcement agencies as part of its investigatory activities.
Organizations should patch vulnerable systems
Organizations running the vulnerable GoAnywhere secure file transfer utility should patch their systems as soon as possible to safeguard themselves from such cyber attacks. The Clop group’s latest attacks show the potential harm that ransomware can inflict on organizations, highlighting the need for robust cybersecurity measures and prompt patching of vulnerabilities.
