kras99 - stock.adobe.com

More victims emerge from Fortra GoAnywhere zero-day attacks

Threat actors began exploiting a zero-day vulnerability in Fortra's GoAnywhere file sharing software in late January, victimizing several large enterprises.

Fallout from cyber attacks exploiting a Fortra GoAnywhere vulnerability continues as more vulnerable organizations disclosed security incidents this week.

Fortra first became aware of a zero-day vulnerability affecting its GoAnywhere managed file transfer (MFT) software on Jan. 30. The software vendor, formerly known as HelpSystems, issued a private advisory to authenticated users only on Feb. 1 that warned of active exploitation and the dangers of keeping the administrative console exposed to the internet. The following day, cybersecurity reporter Brian Krebs publicly disclosed the vulnerability, but it was not assigned a CVE ID or patched until Feb. 7.

Since then, several prominent companies have disclosed data breaches related to exploitation of Fortra's GoAnywhere MFT remote code injection vulnerability, tracked as CVE-2023-0669. Some of those incidents have only been confirmed after the Clop ransomware gang claimed responsibility through its public data leak site.

Two more victims emerged this week. On Wednesday, the ransomware group added Procter & Gamble Company to its leak site and wrote "coming soon" under information. While Procter & Gamble did not respond to TechTarget Editorial's request for comment, it did confirm the breach was related to the Fortra GoAnywhere breach in a statement to The Cyber Express.

Bleeping Computer reported another one of Clop's latest victims Tuesday, Saks Fifth Avenue. The department store chain confirmed to the media outlet that the attack was related to an unpatched GoAnywhere MFT instance but said it only affected "mock customer data."

Late last week, Hitachi Energy blamed a third-party security incident on the Fortra flaw as well.

"We recently learned that a third-party software provider called Fortra GoAnywhere MFT (Managed File Transfer) was the victim of an attack by the Clop ransomware group that could have resulted in an unauthorized access to employee data in some countries," Hitachi wrote in a statement.

The energy provider disconnected the software, contacted law enforcement and initiated an ongoing investigation after learning of the attack against Fortra. While it appears no customer data was compromised, Hitachi did say it notified employees who may have been affected.

Two days prior, cybersecurity vendor Rubrik disclosed it also suffered a data breach related to Fortra. Unlike Hitachi Energy, which said the attack did not affect network operations, Rubrik forced its nonproduction infrastructure offline. Additionally, a statement by Rubrik CISO Michael Mestrovich confirmed attackers stole corporate data including customer and partner company names, business contacts and purchase orders.

Rubrik's disclosure came just after the Clop ransomware gang added the cybersecurity vendor to its data leak site, used to pressure victims into paying.

On March 7, Community Health Systems (CHS) revealed it initiated a data breach investigation after being notified by Fortra of a security incident affecting the MFT software on Feb. 2. Based in the U.S., CHS has 79 hospitals across 16 states.

So far, CHS determined that patient information, a limited amount of employee information and other individual data may have been compromised because of exploitation of the Fortra vulnerability. On top of Social Security numbers, names and addresses, stolen data includes sensitive information such as medical billing and insurance data, as well as diagnoses and medication details.

The hospital chain has implemented additional security measures as a result of the attack against the GoAnywhere platform.

Finally, one of the first victims to disclose a security incident related to Fortra was Hatch Bank on Feb. 28. In a data breach notification letter to the Office of the Maine Attorney General, the California-based bank said it was notified by Fortra on Feb. 3. An investigation has since revealed that names and Social Security numbers were affected.

Saeed Abbasi, manager of vulnerability signatures at Qualys, told TechTarget Editorial that File Transfer Appliances and MFT products are widely adopted by large enterprises for their scalability, automation and unified control capabilities. The goal of these products is to reduce the risk of data breaches and unauthorized access, he said.

"However, as with anything, there are always potential challenges to consider. Some of the risks posed include supply chain attacks and software vulnerabilities, which necessitate thorough evaluation and regular security assessments of these vendors," Abbasi said in an email to TechTarget Editorial. "And, as with any product, they require proper configuration which raises complexity and could accidentally create a security risk."

Dig Deeper on Data security and privacy

Networking
CIO
Enterprise Desktop
Cloud Computing
ComputerWeekly.com
Close